feat: scope security-review cache-memory to PR via key field

[Copilot]

The security-review workflow's prior attempt at PR-scoped memory used id: which changes the mount path to /tmp/gh-aw/cache-memory-{id}/, while the prompt hardcodes /tmp/gh-aw/cache-memory/ — so memory was never found. The correct field is key:, which scopes the GitHub Actions cache entry without altering the mount point.

Changes

• security-review.md: Replace cache-memory: true with a PR-scoped key:

  tools:
    cache-memory:
      key: "security-review-pr-${{ github.event.pull_request.number }}"

• security-review.lock.yml: Update restore/save cache keys accordingly. Per gh-aw docs, custom keys auto-append -${{ github.run_id }}; progressive restore-keys fall back from same-PR → any prior security-review run:

  key: security-review-pr-${{ github.event.pull_request.number }}-${{ github.run_id }}
  restore-keys: |
    security-review-pr-${{ github.event.pull_request.number }}-
    security-review-pr-
    security-review-
    security-

Note: The .lock.yml frontmatter_hash metadata comment will be stale until gh aw compile is run locally.

Testing

• Not run (why?)
• uv run poe check
• Other: CodeQL scan — 0 alerts. No Python/test changes; config-only.

Checklist

• Linked issue or task reference
• Added/updated tests where relevant
• Updated docs/README if needed
• No secrets or sensitive data added
• Considered backward compatibility and deployment impact

Additional context

• id: is for distinguishing multiple cache-memory entries (each gets its own subfolder). key: is for controlling the GitHub Actions cache key used to save/restore a single entry. These are orthogonal concerns; the original attempt conflated them.
• The four-level restore fallback ensures a new PR can still warm its cache from a previous PR's run (e.g., for the shared security-review-patterns.json), while preferring same-PR context first.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• deepwiki.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• github.github.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• github.github.io
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• https://api.github.com/repos/github/gh-aw/releases/latest
  • Triggering command: /usr/bin/gh gh extension install github/gh-aw (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Investigate agentic workflow cache-memory with custom IDs</issue_title>
<issue_description>## Context

The security-review.md agentic workflow uses cache-memory to allow the agent to remember prior review context across PR synchronize events (new pushes to the same PR). We attempted to use named cache-memory IDs to scope memory per PR, but at runtime the memory feature did not work with custom IDs.

The workflow was reverted to cache-memory: true (default behavior) to restore functionality.

What was tried

tools:
  cache-memory:
    id: "security-review-pr-${{ github.event.pull_request.number }}"

This did not work — the agent did not retain memory across runs.

What works

tools:
  cache-memory: true

Tasks

• Investigate the cache-memory tool configuration options in the gh-aw documentation
• Determine how custom memory IDs work (supported syntax, variable interpolation, scoping)
• Determine whether ${{ github.event.pull_request.number }} expressions are supported in tool config values
• Test with a named ID to confirm it works end-to-end
• If custom IDs work, update security-review.md to use a PR-scoped memory ID so reviews can track resolved findings across pushes
• Consider whether other agentic workflows (copilot-review.md, pr-review-comment-handler.md) would also benefit from scoped memory

Related

• PR feat: add agentic workflows and security posture #51 — agentic workflow and security posture
• Issue [Feature] Apply principle of least privilege to secrets in workflow_call #49 — principle of least privilege for secrets in agentic workflows</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Investigate agentic workflow cache-memory with custom IDs #50

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.