feat: upgrade gh-aw-firewall to v0.25.13 and implement OTLP support

[Copilot]

Summary

Completes the OTLP trace export feature (implemented in PR #24441) and ensures compatibility with gh-aw-firewall v0.25.13.

Changes

Lock file recompile (2 files missed in #24441)

• copilot-token-audit.lock.yml and copilot-token-optimizer.lock.yml now include the full OTLP trace ID cross-job correlation wiring:
  • setup-trace-id output added to activation job
  • id: setup added to Setup Scripts steps
  • job-name: ${{ github.job }} input added to Setup Scripts
  • trace-id: ${{ needs.activation.outputs.setup-trace-id }} threading for all downstream jobs
  • activation added to detection and push_repo_memory needs so they can receive the trace ID

Changeset

• Added .changeset/minor-add-otlp-support.md describing the OTLP feature for the next release notes

Background

The OTLP feature from PR #24441 adds observability.otlp frontmatter support:

observability:
  otlp:
    endpoint: ${{ secrets.GH_AW_OTEL_ENDPOINT }}
    headers: ${{ secrets.GH_AW_OTEL_HEADERS }}  # optional

When configured, every job emits spans to the OTLP endpoint. A single trace ID is threaded across all jobs for end-to-end correlation. When a static URL is provided as the endpoint, its hostname is automatically allowlisted in the AWF firewall.

gh-aw-firewall v0.25.13 (the current default) is required as it includes the Squid domain-injection security fix (fix: prevent Squid config injection via --allow-domains and --allow-urls) that ensures user-provided OTLP domain patterns are safely handled.

Testing

• make fmt and make lint pass
• OTLP unit tests pass
• CodeQL scan: 0 alerts