Add weekly gh-aw workflow to keep AGENTS.md current

[Copilot]

This introduces an Agentic Workflow that runs weekly to reconcile AGENTS.md with recently merged PRs and repository changes, then opens/updates a PR when drift is detected. The workflow is designed for low-touch maintenance with explicit file-scope guardrails.

• Workflow added: weekly AGENTS maintenance

  • New source workflow: .github/workflows/weekly-update-agents-md.md
  • Triggering: fuzzy schedule: weekly + workflow_dispatch
  • Mission: compute baseline from previous successful run (fallback 7 days), review merged PRs + relevant source/config deltas, update only AGENTS.md if needed

• Safe output and change controls

  • Uses safe outputs for PR operations (create-pull-request, push-to-pull-request-branch, noop, missing-tool)
  • Restricts writable target to AGENTS.md via:
    • allowed-files: [AGENTS.md]
    • protected-files: allowed
  • Enforces “no unrelated edits” behavior in prompt guardrails

• Tooling and runtime configuration

  • Engine: copilot
  • Read-only repo permissions + GitHub Actions read access for baseline discovery
  • Tools: GitHub MCP (default, actions) plus minimal edit/bash commands for AGENTS diffing and inspection
  • Concurrency group added to prevent overlapping weekly runs

• Compiled workflow artifacts

  • Added compiled lock file: .github/workflows/weekly-update-agents-md.lock.yml
  • Updated .gitattributes so lock files are treated as generated and merged with ours:
    • .github/workflows/*.lock.yml linguist-generated=true merge=ours

safe-outputs:
  create-pull-request:
    title-prefix: "[agents-maintenance] "
    protected-files: allowed
    allowed-files: [AGENTS.md]
  push-to-pull-request-branch:
    protected-files: allowed
    allowed-files: [AGENTS.md]

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Adds a new Agentic Workflow (gh-aw) that runs weekly to keep AGENTS.md aligned with recent repository changes, with a compiled .lock.yml workflow artifact and git attributes to treat lock files as generated.

Changes:

• Added a weekly agentic workflow source file to reconcile/update AGENTS.md and open/update a maintenance PR.
• Added the compiled workflow lock file that GitHub Actions will execute.
• Updated .gitattributes to mark workflow lock files as generated and prefer ours on merges.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/weekly-update-agents-md.md	Defines the agent’s mission/guardrails, tool access, and safe-output constraints for AGENTS.md maintenance.
.github/workflows/weekly-update-agents-md.lock.yml	Compiled workflow executed by GitHub Actions (jobs, permissions, safe-outputs plumbing, threat detection, etc.).
.gitattributes	Treats .github/workflows/*.lock.yml as generated and resolves merges using ours.

[Copilot]

The source workflow frontmatter lists only read permissions, but the compiled .lock.yml requires contents/pull-requests/issues: write to open/update the maintenance PR. This is easy to miss when reviewing just the .md source and also contradicts the PR description’s “read-only repo permissions” claim. Please clarify this in the .md (e.g., document the write scopes used by the safe-outputs/conclusion jobs) so reviewers and maintainers have an accurate security picture.

[Copilot]

This workflow relies on repository secrets/vars (at least COPILOT_GITHUB_TOKEN, plus the GH_AW_* tokens referenced in the compiled workflow) but the source .md doesn’t document prerequisites. Adding a short “Prerequisites” section listing required secrets/variables (and what they’re used for) will make setup/maintenance significantly easier and reduce first-run failures.

Suggested change

	## Prerequisites
	Before enabling or running this workflow, ensure the repository is configured with the authentication values required by the Copilot/Actions runtime:
	- `COPILOT_GITHUB_TOKEN` repository secret: used by the Copilot workflow engine to authenticate GitHub API requests made while reviewing changes and preparing PR updates.
	- `GH_AW_*` repository variables/tokens referenced by the compiled workflow: used by the GitHub Actions workflow runtime for the authenticated automation steps that inspect workflow history, review repository state, and create or update the maintenance pull request.
	If these prerequisites are missing or misconfigured, scheduled and manual runs may fail before any `AGENTS.md` updates are produced.

[Copilot]

The compiled workflow config sets the noop safe-output to report-as-issue: true, but this workflow’s process explicitly calls noop when no AGENTS.md changes are needed. That combination will likely open a new issue on every successful weekly no-change run, creating repo noise. Consider disabling issue reporting for noop (and reserving issues for error cases via missing-tool/missing-data/report-incomplete) and recompile the lock file.