⚡ Reduce token waste in secret-digger-copilot prompt

[Copilot]

Secret Digger (Copilot) failure runs consume ~2.6M tokens ($5.03/run, ~$35/day across 7 daily failures). The prompt includes duplicate context and verbose instructions that inflate every turn.

Changes

• Remove duplicate context from user message (secret-digger-copilot.md): Repository, Run ID, Workflow, Engine are already in the <system> block injected by gh-aw. The duplicate Run ID also breaks cross-run prefix caching.

• Condense Investigation Workflow (shared/secret-audit.md): Replaced 4 verbose steps (Load → Select → Execute → Update Cache, ~600 chars) with 3 one-liners. Saves ~450–625 tokens/turn.

• Remove Security Research Guidelines (shared/secret-audit.md): Entirely redundant with the MISSION statement. Six bullet points of "be thorough" adds nothing.

• Recompile + post-process lock file.

Not implemented

max-turns: 8 — the highest-impact recommendation (~$25/day) — is rejected by gh-aw v0.67.4:

error: max-turns not supported: engine 'copilot' does not support the max-turns feature

This requires an upstream gh-aw change to add copilot engine turn-limit support.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.67.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.67.4 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)