Reduce CI/CD gaps assessment run cost to avoid AI-credit guardrail trips

[Copilot]

The CI/CD Pipelines and Integration Tests Gap Assessment workflow was intermittently exhausting its per-run AI-credit budget (max-ai-credits), causing scheduled runs to terminate as rate-limit failures. This change reduces model/turn spend for that workflow and codifies the budget-oriented configuration in CI assertions.

• Workflow cost controls

  • Updated .github/workflows/ci-cd-gaps-assessment.md to pin a lower-cost execution profile:
    • engine.model: claude-haiku-4.5
    • max-turns: 4
  • Keeps behavior aligned with the existing assessment prompt while reducing per-run token burn.

• Compiled workflow alignment

  • Recompiled .github/workflows/ci-cd-gaps-assessment.lock.yml so runtime settings reflect the source workflow changes (model + turn cap).

• Regression guardrail

  • Added scripts/ci/ci-cd-gaps-assessment-workflow.test.ts to enforce that both source and lock files keep the intended cost profile.

# .github/workflows/ci-cd-gaps-assessment.md
max-turns: 4
engine:
  id: copilot
  model: claude-haiku-4.5

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.60%	96.64%	📈 +0.04%
Statements	96.47%	96.51%	📈 +0.04%
Functions	98.80%	98.80%	➡️ +0.00%
Branches	91.18%	91.21%	📈 +0.03%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/workdir-setup.ts	92.6% → 94.4% (+1.85%)	92.6% → 94.4% (+1.85%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This pull request reduces the AI token/turn spend of the CI/CD Pipelines and Integration Tests Gap Assessment agentic workflow to avoid hitting the per-run max-ai-credits guardrail during scheduled runs, and adds a regression test to prevent accidental cost-profile drift.

Changes:

• Pinned the workflow’s cost profile by setting max-turns: 4 and engine.model: claude-haiku-4.5 in the source workflow.
• Recompiled the locked workflow so the runtime environment reflects the pinned model and turn cap.
• Added a Jest regression test to assert the source + lock workflows preserve the intended model/turn settings.

Show a summary per file

File	Description
scripts/ci/ci-cd-gaps-assessment-workflow.test.ts	Adds CI assertions that the source and lock workflow files retain the intended model and max-turns settings.
.github/workflows/ci-cd-gaps-assessment.md	Pins the workflow to a lower-cost Copilot model and limits turn count to reduce per-run AI-credit usage.
.github/workflows/ci-cd-gaps-assessment.lock.yml	Updates the compiled workflow to hard-code the pinned model and turn budget in runtime/env and metadata.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 0

[github-actions]

🔐 Smoke Test: Copilot PAT Auth — PASS

Test	Result
GitHub MCP connectivity	✅
github.com HTTP	✅
File write/read	✅ /tmp/gh-aw/agent/smoke-test-copilot-pat-27506401659.txt

Overall: PASS — Auth mode: PAT (COPILOT_GITHUB_TOKEN)

cc @Copilot @lpcox

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Reduce CI/CD gaps assessment run cost to avoid AI-credit guardrail trips
✅ GitHub review
✅ gh CLI query
✅ Playwright GitHub title
✅ File write/read
✅ Discussion lookup/comment
✅ Build
Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: Copilot BYOK (Direct Mode) ✅ PASS

Test Results:

• GitHub.com connectivity: ✅ HTTP 200
• File write/read: ✅ /tmp/gh-aw/agent/smoke-test-copilot-byok.txt
• BYOK inference: ✅ Active (api-proxy → api.githubcopilot.com)

Configuration: Direct BYOK mode (COPILOT_PROVIDER_API_KEY) via api-proxy sidecar. Agent receives placeholder credential; real key held by sidecar. All inference requests routed through secure api-proxy → Squid → api.githubcopilot.com.

Network isolation, filesystem access, and BYOK authentication path all verified.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🔬 Smoke Test Results — PASS

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅
File write/read	✅

Overall: PASS

PR: Reduce CI/CD gaps assessment run cost to avoid AI-credit guardrail trips
Author: @Copilot | Assignees: @lpcox @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING (port 6379)	❌ Connection refused
PostgreSQL pg_isready (port 5432)	❌ No response
PostgreSQL SELECT 1	❌ No response

host.docker.internal resolves to 172.17.0.1 but neither service is reachable at that address or at 127.0.0.1.

Overall: FAIL — Service containers appear not to be running or are not accessible from this runner.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Gemini Smoke Test Results

• GitHub MCP: ✅
  • refactor(model-resolver): decompose resolveModel into focused sub-functions; move version utils tests #4938: refactor(model-resolver)
  • refactor(token-tracker-http): decompose 238-line trackTokenUsage into testable top-level functions #4937: refactor(token-tracker-http)
• GitHub.com Connectivity: ❌ (Status 400/000)
• File Writing: ✅
• Bash Tool: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

@Copilot @lpcox

Smoke Test Results:

• GitHub MCP Testing: ✅
• GitHub.com Connectivity: ✅
• File Write/Read Test: ✅
• BYOK Inference Test: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4943 · ◷

[github-actions]

@lpcox @Copilot

Smoke Test Results:

• GitHub MCP: ✅
• GitHub.com Connect: ✅
• File I/O: ✅
• BYOK Inference: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)