Migrate dependency-update workflow to GitHub Agentic Workflows (gh-aw)

[dgee2]

Background

The Dependency updates (copilot) workflow (.github/workflows/dependency-update.yml) currently runs the Copilot CLI directly in a standard GitHub Actions job. This approach grants the agent live write tokens while it processes untrusted external content (package changelogs, npm registry data, GitHub release notes), creating a structural prompt injection risk.

GitHub Agentic Workflows (gh-aw) eliminates this risk through a defence-in-depth architecture:

• Read-only agent tokens — the agent cannot push or create PRs itself
• Network firewall (AWF) — egress restricted to an explicit domain allowlist (dotnet, node, github ecosystem bundles exist)
• Safe Outputs — agent requests actions via a structured artifact; a separate scoped job applies them after threat detection passes
• Threat detection — AI-powered scan for prompt injection and malicious code before any write occurs

Proposed Design

Replace the current dependency-update.yml with three compiled agentic workflow files, one per ecosystem:

Source file	Ecosystem
.github/workflows/dependency-update-dotnet.md	.NET / NuGet
.github/workflows/dependency-update-node.md	Node / npm / pnpm
.github/workflows/dependency-update-github-actions.md	GitHub Actions

Each compiles (via gh aw compile) to a .lock.yml in .github/workflows/.

A lightweight standard GHA wrapper (dependency-update.yml) can remain to provide the workflow_dispatch target-group selector and trigger individual ecosystem workflows on schedule.

Each agentic workflow would declare:

engine: copilot
network:
  allowed:
    - defaults
    - github
    - dotnet   # NuGet / .NET SDK (dotnet workflow only)
    - node     # npm / pnpm (node workflow only)
tools:
  edit:
  bash: [":*"]  # dotnet build, pnpm install, git operations
  github:
    toolsets: [default]
safe-outputs:
  create-pull-request:
    max: 10
    preserve-branch-name: true
    recreate-ref: true
    allowed-branches:
      - copilot/dependency-update/*
    fallback-as-issue: false
  close-pull-request:
    max: 10
  add-labels:
    max: 30

The existing skills (.github/skills/dependency-update-*.md) and prompt files (.github/prompts/dependency-update*.md) are reusable as-is — the agent reads them from the checked-out workspace.

Acceptance Criteria

• gh aw CLI is used to compile each workflow to a .lock.yml
• Each ecosystem has its own agentic workflow source file
• The agent runs read-only (no write tokens in the agent job)
• Network firewall is configured with the correct ecosystem bundles per workflow
• create-pull-request safe output allows up to 10 PRs with preserved branch names and recreate-ref: true (so existing open PRs on the same branch are updated rather than duplicated)
• close-pull-request safe output is enabled (for closing stale PRs)
• add-labels safe output is enabled
• The existing skills and prompt files continue to guide agent behaviour
• Build validation (dotnet build, pnpm install, etc.) still runs before PRs are created
• The weekly Friday 09:00 UTC schedule is preserved
• A workflow_dispatch trigger exists on each workflow (or on a dispatcher) to allow manual per-ecosystem runs
• The old dependency-update.yml is removed or replaced
• The COPILOT_TOKEN secret continues to be used for Copilot CLI authentication

References

• Current workflow: .github/workflows/dependency-update.yml
• gh-aw home: https://github.github.com/gh-aw/
• gh-aw security architecture: https://github.github.com/gh-aw/introduction/architecture/
• gh-aw safe outputs (PRs): https://github.github.com/gh-aw/reference/safe-outputs-pull-requests/
• gh-aw network permissions: https://github.github.com/gh-aw/reference/network/
• gh-aw tools reference: https://github.github.com/gh-aw/reference/tools/
• Related PRs: Add Copilot-driven dependency update workflow with per-ecosystem grouping #1011, Add Copilot-driven dependency update workflow #1026, fix: replace actions/setup-copilot with npm install for Copilot CLI #1062 (workflow fixes that motivated this migration)