[gh-aw] use GITHUB_TOKEN for Copilot inference

[jonathanpeppers]

Adopts the new agentic workflows authentication model: with copilot-requests: write in the workflow permissions block, gh-aw uses the built-in GITHUB_TOKEN for Copilot CLI inference instead of a stored PAT, and AI credits bill directly to the dotnet organization.

Changes

• Added copilot-requests: write to the permissions: block of:
  • .github/workflows/android-reviewer.md
  • .github/workflows/nightly-fix-finder.md
• Ran gh aw compile to regenerate the lock files. They now wire COPILOT_GITHUB_TOKEN: ${{ github.token }} into the engine instead of ${{ secrets.COPILOT_GITHUB_TOKEN }}.
• Bumped the gh-aw CLI from v0.79.6 to v0.79.8 (recommended in the changelog), which is what regenerated agentics-maintenance.yml (action SHA + version pin bumps).

After this merges

• The COPILOT_GITHUB_TOKEN repo secret can be deleted — it is no longer referenced anywhere under .github/workflows/.
• One-time org prerequisite (per the changelog): the "Allow use of Copilot CLI billed to the organization" Copilot policy must be enabled on the dotnet org. It is on by default if the existing "Copilot CLI" policy is enabled.

Intentionally not changed

• ANDROID_TEAM_PAT — still required for safe-outputs.assign-to-agent in nightly-fix-finder.md. The built-in GITHUB_TOKEN cannot trigger downstream workflows from a Copilot assignment, which is a separate constraint unrelated to this changelog.
• GH_AW_GITHUB_TOKEN / GH_AW_GITHUB_MCP_SERVER_TOKEN — these govern GitHub MCP / safe-outputs auth, not Copilot inference.

Reference: https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/

[Copilot]

Pull request overview

Updates the repo’s gh-aw agentic workflows to use the new authentication model where Copilot CLI inference is performed using the built-in GITHUB_TOKEN (with copilot-requests: write) instead of a stored PAT secret, and regenerates the compiled/locked workflows with the newer gh-aw CLI.

Changes:

• Added copilot-requests: write to workflow/job permissions in the source workflow .md files and in the generated lock workflows.
• Regenerated lock workflows so COPILOT_GITHUB_TOKEN is sourced from ${{ github.token }} (and removed the COPILOT_GITHUB_TOKEN secret dependency).
• Bumped gh-aw action/CLI pins from v0.79.6 to v0.79.8 (including the generated maintenance workflow).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/android-reviewer.md	Adds copilot-requests: write permission to support Copilot inference via GITHUB_TOKEN.
.github/workflows/android-reviewer.lock.yml	Regenerated lock: uses ${{ github.token }} for COPILOT_GITHUB_TOKEN, updates gh-aw pins, and propagates permissions changes.
.github/workflows/nightly-fix-finder.md	Adds copilot-requests: write permission to support Copilot inference via GITHUB_TOKEN.
.github/workflows/nightly-fix-finder.lock.yml	Regenerated lock: uses ${{ github.token }} for COPILOT_GITHUB_TOKEN, updates gh-aw pins, and propagates permissions/guardrail output renames.
.github/workflows/agentics-maintenance.yml	Regenerated maintenance workflow with updated gh-aw pins/version banner.