Fix copilot-token-audit failure when aw is already installed

[Copilot]

Bug Fix

The daily copilot-token-audit run on main failed in the Install gh-aw extension step because the job attempted to install github/gh-aw even when another extension already provided the aw command. This caused an immediate non-zero exit and stopped the agent job.

• What was the bug?

  • Workflow step used extension-list/install logic that could still execute gh extension install github/gh-aw in environments where aw was already present, triggering:
    • there is already an installed extension that provides the "aw" command

• How did you fix it?

  • Updated .github/workflows/copilot-token-audit.lock.yml to make Install gh-aw extension idempotent:
    • Gate installation on command availability (gh aw --version)
    • Install only when missing, via the project installer script
    • Keep existing binary discovery/copy behavior unchanged

- name: Install gh-aw extension
  run: |
    if ! gh aw --version >/dev/null 2>&1; then
      echo "Installing gh-aw extension..."
      curl -fsSL https://raw.githubusercontent.com/github/gh-aw/refs/heads/main/install-gh-aw.sh | bash
    fi
    gh aw --version

• Testing

  • No additional PR-level testing details included here (not part of the issue requirements).

[pelikhan]

@mnkiefer

[pelikhan]

@copilot merge main and recompile

[Copilot]

Pull request overview

Fixes a daily copilot-token-audit failure by making the Install gh-aw extension step idempotent: it now checks for gh aw --version and installs via the project's install-gh-aw.sh script only when the command is missing, instead of unconditionally running gh extension install github/gh-aw (which fails when another extension already provides aw). The diff also touches ~200 other *.lock.yml files with what appears to be regenerated output (replacing the quoted "on": key with an unquoted on:, plus refreshed heredoc EOF tags).

Changes:

• Gate the install behind gh aw --version and use curl | bash of install-gh-aw.sh when missing in copilot-token-audit.lock.yml.
• Remove the previous gh extension upgrade gh-aw branch for the already-installed case.
• Regenerate all other *.lock.yml files to use an unquoted on: key (and refresh random EOF heredoc tags in a handful of files).

Show a summary per file

File	Description
.github/workflows/copilot-token-audit.lock.yml	The actual bug fix: idempotent gh-aw install via the project installer script.
.github/workflows/*.lock.yml (≈200 files)	Cosmetic regeneration: quoted "on": → unquoted on: key, plus randomized heredoc EOF tags in some files. Not mentioned in PR description.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 229/229 changed files
• Comments generated: 2