[Repo Assist] ci: pin actions/github-script to SHA and upgrade from v7 to v9

[github-actions]

🤖 This PR was created by Repo Assist, an automated AI assistant.

Summary

All GitHub Actions in ci.yml use pinned commit SHAs for supply-chain security — except for four uses of actions/github-script@v7, which referenced a mutable tag. This PR pins them to an immutable SHA and upgrades to v9.

What Changed

Four steps in ci.yml (in smoke-copilot-pr, smoke-copilot, large-payload-tester, and language-support-tester jobs) used:

uses: actions/github-script@v7

All four are now pinned to:

uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9

Why v9?

The SHA 3a2844b7e9c422d3c10d287c895573f7108da1b3 is already used in agentics-maintenance.yml (9 times), so it is already vetted in this repository. This makes ci.yml consistent with the rest of the workflows.

Security Benefit

Using mutable tags like @v7 means the action content can change without a code review — a known supply-chain attack vector. Pinning to a specific commit SHA ensures the exact code used is reviewed and immutable.

Test Status

This change only affects GitHub Actions workflow YAML — no Go code was modified, no build or test is required.

---

Warning

Protected Files — Push Permission Denied

This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.

Protected files

• .github/workflows/ci.yml

The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.

Create the pull request manually

# Download the patch from the workflow run
gh run download 24399350012 -n agent -D /tmp/agent-24399350012

# Create a new branch
git checkout -b repo-assist/eng-pin-github-script-action-2026-04-14-f4fa98c2f0b1fcf9 main

# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-24399350012/aw-repo-assist-eng-pin-github-script-action-2026-04-14.patch

# Push the branch and create the pull request
git push origin repo-assist/eng-pin-github-script-action-2026-04-14-f4fa98c2f0b1fcf9
gh pr create --title '[Repo Assist] ci: pin actions/github-script to SHA and upgrade from v7 to v9' --base main --head repo-assist/eng-pin-github-script-action-2026-04-14-f4fa98c2f0b1fcf9 --repo github/gh-aw-mcpg

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• Bug: HTTP MCP backend tools missing from agent when tools/list response is slow #3718 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Repo Assist · ● 5.5M · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55