feat: optimize export-audit workflow (~94% weekly cost reduction)

[Copilot]

The export-audit workflow was the #1 cost driver in the fleet at ~$4.30/week ($0.86/run × 5 runs/week), with 9.6 LLM turns/run and a verbose 1,561-token prompt. Addresses all five recommendations from the token optimization report.

Changes

Trigger: push → weekly schedule

• Runs once weekly (Monday 09:00 UTC) instead of on every merge to main
• 5×/week → 1×/week; dead exports don't appear and vanish within hours

max-turns: 12 → 6

• Added explicit hard-limit instruction: "Turn 1: read context + plan. Turns 2–5: verify and file. Turn 6: emit noop or final issue and stop."
• Each eliminated turn saves ~50K+ tokens of accumulated context replay

Prompt: ~1,561 tokens → ~400 tokens

• Removed verbose Phase 1–5 section headers and redundant issue body template
• All key constraints preserved (verification budget, duplicate-check, scoring, VERIFIED_UNUSED behaviour)

head limits reduced in analysis script

• Exports: head -80 → head -30
• Unused exports: head -40 → head -15
• Naming issues: head -20 → head -10
• Test imports: 5 lines/unlimited files → 3 lines/max 8 files

9 pre-agent steps consolidated into 1

• Extracted scripts/ci/export-audit-analysis.sh containing all analysis logic
• Eliminates fragile $GITHUB_OUTPUT multiline heredoc chain; writes context file directly
• Workflow step reduced to:

- name: Run export audit analysis
  run: |
    set -o pipefail
    mkdir -p /tmp/gh-aw/agent
    npm install -g ts-prune@0.10.3 madge@8.0.0 2>&1 | tail -3
    bash scripts/ci/export-audit-analysis.sh > /tmp/gh-aw/agent/export-audit-context.md
    echo "Context: $(wc -c < /tmp/gh-aw/agent/export-audit-context.md) bytes"

Expected impact

Metric	Before	After
Weekly cost	~$4.30	~$0.26
Tokens/run	~503K	~150K
LLM turns/run	9.6 avg	4–5 avg
Runs/week	5	1

Lock file recompiled via gh aw compile + postprocess-smoke-workflows.ts. Tests updated to assert the new configuration.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.35%	96.46%	📈 +0.11%
Statements	96.21%	96.32%	📈 +0.11%
Functions	98.27%	98.27%	➡️ +0.00%
Branches	90.42%	90.57%	📈 +0.15%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)
src/container-lifecycle.ts	93.9% → 95.7% (+1.84%)	94.2% → 95.9% (+1.75%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR optimizes the export-audit agentic workflow to substantially reduce weekly LLM usage/cost by running less frequently, limiting turns, shrinking prompt/context, and consolidating pre-agent analysis into a single script.

Changes:

• Switch export-audit trigger from push to a weekly schedule and reduce max-turns from 12 → 6 with an explicit hard stop.
• Replace multiple pre-agent context-building steps with a single scripts/ci/export-audit-analysis.sh script that writes the context file directly.
• Update workflow lock/tests and adjust analysis output caps (head -80 → -30, etc.) to reduce context size.

Show a summary per file

File	Description
scripts/ci/export-audit-workflow.test.ts	Updates assertions for weekly schedule, reduced turns, condensed prompt, and consolidated analysis step/script.
scripts/ci/export-audit-analysis.sh	New consolidated analysis script that generates the markdown context (with reduced output caps).
.github/workflows/export-audit.md	Changes trigger to weekly schedule, reduces turns, and condenses prompt/instructions.
.github/workflows/export-audit.lock.yml	Regenerated lock workflow reflecting the new schedule/turn cap and consolidated step (but currently contains a schedule indentation bug and weaker pinning).
.github/workflows/red-team-benchmark.lock.yml	Updates checkout/install/build behavior (appears to be lock regeneration/postprocess fallout).
.github/aw/actions-lock.json	Removes some gh-aw-actions/* pins; currently missing replacements for versions referenced by updated lock workflow.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

.github/aw/actions-lock.json:92

• .github/aw/actions-lock.json removed the entries for github/gh-aw-actions/setup@v0.76.1 / setup-cli@v0.76.1 but does not add replacements for the versions referenced by the updated lock workflow (e.g. github/gh-aw-actions/setup@v0.77.5). This makes it impossible to resolve a commit SHA for github/gh-aw-actions/setup during compilation, which is why the lock manifest now contains "sha":"v0.77.5" instead of a real SHA.

    "docker/setup-buildx-action@v4.1.0": {
      "repo": "docker/setup-buildx-action",
      "version": "v4.1.0",
      "sha": "d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5"
    },
    "github/gh-aw/actions/setup-cli@v0.76.1": {
      "repo": "github/gh-aw/actions/setup-cli",
      "version": "v0.76.1",
      "sha": "58d1bedbb7200f59c2d224151339e38fd8687d05"
    },
    "github/gh-aw/actions/setup@v0.76.1": {
      "repo": "github/gh-aw/actions/setup",
      "version": "v0.76.1",
      "sha": "58d1bedbb7200f59c2d224151339e38fd8687d05"
    },

• Files reviewed: 6/6 changed files
• Comments generated: 3

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed in b6b197d. Details per review thread:

Comment 1 — TS_ERRORS mismatch ✅ Fixed
Updated export-audit.md line 83: If TS_ERRORS is non-empty → If the "TypeScript build output" section contains compiler errors, matching the actual section header written by export-audit-analysis.sh.

Comment 2 — SHA/digest pinning ✅ Partially fixed

• github/gh-aw-actions/setup: resolved the v0.77.5 tag to its commit SHA 3ea13c02d765410340d533515cb31a7eef2baaf0 and updated all four uses: lines, the manifest JSON, and the header comment in the lock file.
• ghcr.io/github/github-mcp-server:v1.1.0 digest: GHCR authentication is required to look this up and the registry isn't accessible from this environment. The digest will be resolved automatically the next time gh aw compile is run.

Comment 3 — schedule YAML indentation ℹ️ No change needed
The - cron: indentation in the lock file is identical to every other scheduled lock workflow in this repo (e.g. ci-cd-gaps-assessment.lock.yml, doc-maintainer.lock.yml, duplicate-code-detector.lock.yml). This is the compact block-sequence form that js-yaml (used by GitHub Actions) correctly parses as the value of schedule:, and the workflow triggers as expected. The source export-audit.md uses the more readable indented form, which gh aw compile normalises during code generation.

[github-actions]

Smoke Test: Claude Engine

• ✅ GitHub API: 2 PR entries found (refactor(api-proxy): extract duplicate collectLogOutput() into shared test helper #4207, [Test Coverage] container-lifecycle.ts branch coverage #4197)
• ✅ GitHub check: playwright_check=PASS
• ✅ File verify: smoke-test-claude-26834638851.txt exists

Result: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP (feat: optimize export-audit workflow (~94% weekly cost reduction))	✅
GitHub.com HTTP connectivity	✅ 200
File write/read	✅

Overall: PASS

PR by @Copilot · Assignees: @lpcox, @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅ (fetched PR #4207)
GitHub.com HTTP	✅ (pre-step: HTTP 200/301)
File write/read	⚠️ (template vars not expanded — pre-step data unavailable)
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

PR author: @Copilot · Assignees: @lpcox, @Copilot

Overall: PASS (file test inconclusive due to unexpanded template vars)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Merged PRs reviewed:

• refactor(api-proxy): extract duplicate collectLogOutput() into shared test helper
• [Test Coverage] container-lifecycle.ts branch coverage

Checks:

• GitHub title contains GitHub: ✅
• PR query: ✅
• Discussion lookup: ✅
• File write/readback: ✅
• npm ci && npm run build: ✅

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4205 · sonnet46 989.6K · ◷

[github-actions]

Smoke Test Results

Check	Result
Redis PING	❌ Timeout (no response)
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Skipped (pg_isready failed)

Overall: FAIL — host.docker.internal is not reachable from this environment. Service containers are unreachable.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Test Results (Gemini)

• GitHub MCP Testing: ❌ (Shallow clone, only fix: recompile red-team-benchmark lock file #4191 found)
• GitHub.com Connectivity: ❌ (Exit code 35)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini