ops(build): add Copilot cloud agent setup-steps workflow

[katriendg]

Description

Adds .github/workflows/copilot-setup-steps.yml, a setup-only workflow that pre-provisions toolchains, language runtimes, and dependency closures for GitHub Copilot cloud coding-agent sessions. Copilot picks up the workflow from the default branch and injects the resulting environment into each agent session, so editing, linting, and running targeted tools land on a warm sandbox instead of waiting for cold installs. The workflow is also wired to run on self-changes and weekly to surface broken action SHAs, yanked packages, or registry outages before they reach a live session.

Closes #497

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

The change lives under .github/workflows/ (CI tooling) and does not match any listed component bucket.

Workflow shape

The single copilot-setup-steps job runs on ubuntu-latest with timeout-minutes: 45, permissions: contents: read at both workflow and job scope, and actions/checkout configured with persist-credentials: false. Triggers cover workflow_dispatch, path-scoped push / pull_request on the workflow file itself, and a weekly cron '17 9 * * 1' drift check.

• Toolchains installed (all third-party actions SHA-pinned): shellcheck, jq, and ffmpeg via apt-get; Python 3.12 with uv; Node.js pinned via data-management/viewer/frontend/.nvmrc with npm caching keyed on the root and frontend package-lock.json files; Go keyed on infrastructure/terraform/e2e/go.mod; Terraform (with terraform_wrapper: false) and TFLint; PowerShell Pester 5.7.1 and powershell-yaml.
• Dependency presync: root npm ci (markdownlint, cspell, table-formatter, link-check), root uv sync --group dev, dataviewer backend uv sync --extra dev --extra analysis --extra hdf5 --extra export --extra auth, evaluation uv sync --only-group dev, dataviewer frontend npm ci, and terraform e2e Go modules go mod download.
• Setup-only contract: no pytest, vitest, go test, terraform test, or Invoke-Pester runs in this job. CI remains the regression gate.

Deviations from the issue acceptance criteria

Captured here for reviewer awareness; the implementation aligns the workflow with the toolchain pins already in the repo's CI surface.

• Python is pinned to 3.12 rather than 3.11, matching the project's existing Python target.
• timeout-minutes is 45 rather than 30 to absorb the broader presync surface (dataviewer backend extras, frontend, evaluation, root, and terraform e2e Go modules).

gh aw Version Pinning

The gh aw CLI extension is installed without version pinning (gh extension install github/gh-aw). This installs the latest stable release (pre-releases excluded) at each session start. Pinning is intentionally omitted because: (1) gh aw maintains backward compatibility — newer CLI versions compile and run older workflows without issue, (2) compiled .lock.yml files embed their compiler_version for auditability, (3) the extension releases 2–3 times per week making a pinned version constantly stale, and (4) unlike uses: action SHAs (pipeline supply-chain integrity), gh aw is a runtime developer tool with a different threat model.

If pinning becomes necessary in the future, use the --pin flag with a release tag:

- name: Install gh-aw CLI extension
  run: gh extension install github/gh-aw --pin v0.71.1
  env:
    GH_TOKEN: ${{ github.token }}

Testing Performed

• Terraform plan reviewed (no unexpected changes)
• Terraform apply tested in dev environment
• Training scripts tested locally with Isaac Sim
• OSMO workflow submitted successfully
• Smoke tests passed (smoke_test_azure.py)

None of the predefined items apply to a CI-only workflow change. Validation was performed via npm run lint:yaml, the workflow-permissions and SHA-pinning scans, and actionlint.

Documentation Impact

• No documentation changes needed
• Documentation updated in this PR
• Documentation issue filed

Bug Fix Checklist

Complete this section for bug fix PRs. Skip for other contribution types.

• Linked to issue being fixed
• Regression test included, OR
• Justification for no regression test:

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 8456610.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.2	Details Check Score Reason Code-Review 🟢 5 Found 16/29 approved changesets -- score normalized to 5 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits
actions/actions/setup-go	4a3601121dd01d1626a1e23e37211e3254c1c06c	🟢 5.2	Details Check Score Reason Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 6 Found 11/16 approved changesets -- score normalized to 6 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/actions/setup-node	48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e	🟢 5.4	Details Check Score Reason Code-Review 🟢 6 Found 16/23 approved changesets -- score normalized to 6 Binary-Artifacts 🟢 9 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits
actions/actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405	🟢 4.7	Details Check Score Reason Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Code-Review 🟢 5 Found 11/19 approved changesets -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/astral-sh/setup-uv	08807647e7069bb48b6ef5acd8ec9567f424441b	Unknown	Unknown
actions/hashicorp/setup-terraform	5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85	🟢 6	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 2 Found 3/12 approved changesets -- score normalized to 2 Maintained 🟢 10 10 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/terraform-linters/setup-tflint	b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93	🟢 5.3	Details Check Score Reason Code-Review ⚠️ 0 Found 0/8 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 10 all dependencies are pinned Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/copilot-setup-steps.yml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.59%. Comparing base (83384d2) to head (8456610).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #593      +/-   ##
==========================================
+ Coverage   65.16%   66.59%   +1.42%     
==========================================
  Files         251      262      +11     
  Lines       15597    16611    +1014     
  Branches     2152     2294     +142     
==========================================
+ Hits        10164    11062     +898     
- Misses       5142     5262     +120     
+ Partials      291      287       -4     

Flag	Coverage Δ		*Carryforward flag
pester	83.13% <ø> (ø)		Carriedforward from 23a17a6
pytest-data-pipeline	100.00% <ø> (ø)		Carriedforward from 23a17a6
pytest-dataviewer	65.21% <ø> (-1.72%)	⬇️	Carriedforward from 23a17a6
pytest-dm-tools	100.00% <ø> (ø)		Carriedforward from 23a17a6
pytest-evaluation	99.83% <ø> (?)
pytest-fuzz	4.99% <ø> (+0.09%)	⬆️	Carriedforward from 23a17a6
pytest-inference	0.00% <ø> (ø)		Carriedforward from 23a17a6
pytest-training	82.14% <ø> (ø)		Carriedforward from 23a17a6
vitest	51.06% <ø> (-1.96%)	⬇️	Carriedforward from 23a17a6

*This pull request uses carry forward flags. Click here to find out more.
see 30 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bindsi]

Thx for adding this, @katriendg! Should we consider installing the gh aw extension to recompile the workflows against the latest version as we discussed recently?
Or we can create another scheduled workflow for this!? Wdyt?

[WilliamBerryiii]

Thx for adding this, @katriendg! Should we consider installing the gh aw extension to recompile the workflows against the latest version as we discussed recently? Or we can create another scheduled workflow for this!? Wdyt?

Thx for adding this, @katriendg! Should we consider installing the gh aw extension to recompile the workflows against the latest version as we discussed recently? Or we can create another scheduled workflow for this!? Wdyt?

I'll hold on merging until we can continue this thread next week.

[katriendg]

Thx for adding this, @katriendg! Should we consider installing the gh aw extension to recompile the workflows against the latest version as we discussed recently? Or we can create another scheduled workflow for this!? Wdyt?

Thx for adding this, @katriendg! Should we consider installing the gh aw extension to recompile the workflows against the latest version as we discussed recently? Or we can create another scheduled workflow for this!? Wdyt?

I'll hold on merging until we can continue this thread next week.

Great idea @bindsi - I've added it and also updated the PR description with a note why we don't pin that specific install.

@WilliamBerryiii this one should be ready for approval and merge now. Thanks.