Upgrade gh-aw to v0.79.8 and isolate PAT pool into copilot-pat-pool environment (dotnet#10450)

- Add copilot-pat-pool environment to pat_pool.md shared workflow
- Add copilot-pat-pool environment to validate-pat-pool.yml
- Add copilot-pat-pool environment to release-notes.md workflow
- Remove default fall-back PAT (secrets.COPILOT_GITHUB_TOKEN) from case statement, use 'NO COPILOT PAT AVAILABLE' sentinel
- Update comment block to describe environment isolation
- Upgrade actions-lock.json to gh-aw-actions/setup v0.79.8 and actions/checkout v6.0.3
- Recompile release-notes.lock.yml with gh-aw v0.79.8 (--schedule-seed dotnet/core)
- Update agentic-workflows.agent.md: restore/retain repo-specific instructions for copilot-pat-pool usage

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jeffhandley

.github/agents/agentic-workflows.agent.md

@@ -19,7 +19,10 @@ This is a **dispatcher agent** that routes your request to the appropriate speci
 - **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt
 - **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes
 - **Analyzing test coverage**: Routes to `test-coverage` prompt — consult this whenever the workflow reads, analyzes, or reports on test coverage data from PRs or CI runs
+- **Rendering ASCII charts in markdown**: Routes to `asciicharts` guide — consult this whenever the workflow needs compact charts that render reliably in GitHub issues, comments, or discussions
 - **CLI commands and triggering workflows**: Routes to `cli-commands` guide — consult this whenever the user asks how to run, compile, debug, or manage workflows from the command line, or when they need the MCP tool equivalent of a `gh aw` command
+- **Reducing token consumption / cost optimization**: Routes to `token-optimization` guide — consult this whenever the user asks how to reduce token usage, lower costs, speed up workflows, or measure the impact of prompt changes with experiments
+- **Choosing workflow architectures and design patterns**: Routes to `patterns` guide — consult this whenever the user asks for strategy, architecture, operating models, or pattern selection for agentic workflows
 
 Workflows may optionally include:
 
@@ -31,7 +34,7 @@ Workflows may optionally include:
 - Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md`
 - Workflow lock files: `.github/workflows/*.lock.yml`
 - Shared components: `.github/workflows/shared/*.md`
-- Configuration: [github-agentic-workflows.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/github-agentic-workflows.md)
+- Configuration: `.github/aw/github-agentic-workflows.md`
 
 ## Problems This Solves
 
@@ -54,7 +57,7 @@ When you interact with this agent, it will:
 
 **Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet
 
-**Prompt file**: [create-agentic-workflow.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/create-agentic-workflow.md)
+**Prompt file**: `.github/aw/create-agentic-workflow.md`
 
 **Use cases**:
 
@@ -66,7 +69,7 @@ When you interact with this agent, it will:
 
 **Load when**: User wants to modify, improve, or refactor an existing workflow
 
-**Prompt file**: [update-agentic-workflow.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/update-agentic-workflow.md)
+**Prompt file**: `.github/aw/update-agentic-workflow.md`
 
 **Use cases**:
 
@@ -78,7 +81,7 @@ When you interact with this agent, it will:
 
 **Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors
 
-**Prompt file**: [debug-agentic-workflow.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/debug-agentic-workflow.md)
+**Prompt file**: `.github/aw/debug-agentic-workflow.md`
 
 **Use cases**:
 
@@ -90,7 +93,7 @@ When you interact with this agent, it will:
 
 **Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations
 
-**Prompt file**: [upgrade-agentic-workflows.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/upgrade-agentic-workflows.md)
+**Prompt file**: `.github/aw/upgrade-agentic-workflows.md`
 
 **Use cases**:
 
@@ -102,7 +105,7 @@ When you interact with this agent, it will:
 
 **Load when**: The workflow being created or updated produces reports — recurring status updates, audit summaries, analyses, or any structured output posted as a GitHub issue, discussion, or comment
 
-**Prompt file**: [report.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/report.md)
+**Prompt file**: `.github/aw/report.md`
 
 **Use cases**:
 
@@ -114,7 +117,7 @@ When you interact with this agent, it will:
 
 **Load when**: User wants to create a reusable workflow component or wrap an MCP server
 
-**Prompt file**: [create-shared-agentic-workflow.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/create-shared-agentic-workflow.md)
+**Prompt file**: `.github/aw/create-shared-agentic-workflow.md`
 
 **Use cases**:
 
@@ -126,7 +129,7 @@ When you interact with this agent, it will:
 
 **Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`)
 
-**Prompt file**: [dependabot.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/dependabot.md)
+**Prompt file**: `.github/aw/dependabot.md`
 
 **Use cases**:
 
@@ -138,7 +141,7 @@ When you interact with this agent, it will:
 
 **Load when**: The workflow reads, analyzes, or reports test coverage — whether triggered by a PR, a schedule, or a slash command. Always consult this prompt before designing the coverage data strategy.
 
-**Prompt file**: [test-coverage.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/test-coverage.md)
+**Prompt file**: `.github/aw/test-coverage.md`
 
 **Use cases**:
 
@@ -150,7 +153,7 @@ When you interact with this agent, it will:
 
 **Load when**: The user asks how to run, compile, debug, or manage workflows from the command line; needs the MCP tool equivalent of a `gh aw` command; or is in a restricted environment (e.g., Copilot Cloud) without direct CLI access.
 
-**Reference file**: [cli-commands.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/cli-commands.md)
+**Reference file**: `.github/aw/cli-commands.md`
 
 **Use cases**:
 
@@ -159,12 +162,40 @@ When you interact with this agent, it will:
 - "I'm in Copilot Cloud — how do I compile a workflow?"
 - "Show me all available gh aw commands"
 
+### Token Consumption Optimization
+
+**Load when**: The user asks how to reduce token usage, lower workflow costs, make a workflow faster or cheaper, or measure the impact of prompt or configuration changes.
+
+**Reference file**: `.github/aw/token-optimization.md`
+
+**Use cases**:
+
+- "How do I reduce the token cost of this workflow?"
+- "My workflow is too expensive — how do I optimize it?"
+- "How do I compare token usage between two runs?"
+- "Should I use gh-proxy or the MCP server?"
+- "How do I use sub-agents to reduce costs?"
+- "How do I measure the impact of a prompt change?"
+
+### Workflow Pattern Selection
+
+**Load when**: The user asks for architecture, strategy, operating model selection, or pattern recommendations for building agentic workflows.
+
+**Reference file**: `.github/aw/patterns.md`
+
+**Use cases**:
+
+- "Which pattern should I use for multi-repo rollout?"
+- "How should I structure this workflow architecture?"
+- "What pattern fits slash-command triage?"
+- "Should this be DispatchOps or DailyOps?"
+
 ## Instructions
 
 When a user interacts with you:
 
 1. **Identify the task type** from the user's request
-2. **Load the appropriate prompt** from the GitHub repository URLs listed above
+2. **Load the appropriate prompt** from the repository paths listed above
 3. **Follow the loaded prompt's instructions** exactly
 4. **If uncertain**, ask clarifying questions to determine the right prompt
 
@@ -203,36 +234,40 @@ gh aw compile --validate
 
 ## Important Notes
 
-- Always reference the instructions file at [github-agentic-workflows.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/github-agentic-workflows.md) for complete documentation
+- Always reference the instructions file at `.github/aw/github-agentic-workflows.md` for complete documentation
 - Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud
 - Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
 - **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
 - Follow security best practices: minimal permissions, explicit network access, no template injection
-- **Network configuration**: Use ecosystem identifiers (`node`, `python`, `go`, etc.) or explicit FQDNs in `network.allowed`. Bare shorthands like `npm` or `pypi` are **not** valid. See [network.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/network.md) for the full list of valid ecosystem identifiers and domain patterns.
+- **Network configuration**: Use ecosystem identifiers (`node`, `python`, `go`, etc.) or explicit FQDNs in `network.allowed`. Bare shorthands like `npm` or `pypi` are **not** valid. See `.github/aw/network.md` for the full list of valid ecosystem identifiers and domain patterns.
 - **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.
 - **Triggering runs**: Always use `gh aw run <workflow-name>` to trigger a workflow on demand — not `gh workflow run <file>.lock.yml`. `gh aw run` handles workflow resolution by short name, input parsing and validation, and correct run-tracking for agentic workflows. Use `--ref <branch>` to run on a specific branch.
-- **CLI commands reference**: For a complete guide on all `gh aw` commands and their MCP tool equivalents (for restricted environments), see [cli-commands.md](https://github.com/github/gh-aw/blob/v0.71.5/.github/aw/cli-commands.md)
+- **CLI commands reference**: For a complete guide on all `gh aw` commands and their MCP tool equivalents (for restricted environments), see `.github/aw/cli-commands.md`
 - **Repository-specific requirements**: There are multiple sets of repository-specific instructions below that must be respected. They affect workflow authoring, updates, compilation, and reviews.
 
 ## Repository-Specific Requirements: Copilot PAT Pool
 
-**⚠️ MANDATORY**: Every agentic workflow in this repository **must** utilize the Copilot PAT Pool as detailed in `.github/workflows/shared/pat_pool.README.md`. This mechanism selects a random Copilot PAT from a numbered pool of secrets to avoid rate-limiting from a single shared PAT.
+**⚠️ MANDATORY**: Every agentic workflow in this repository **must** utilize the Copilot PAT Pool in the `copilot-pat-pool` environment as detailed in `.github/workflows/shared/pat_pool.README.md`. This mechanism selects a random Copilot PAT from a numbered pool of environment secrets to avoid rate-limiting from a single shared PAT, while preventing agentic workflows from having access to secrets from other environments.
 
 When **creating** or **updating** an agentic workflow, always include the following frontmatter that integrates the PAT pool. This should be used verbatim when first added.
 
 ```yml
 # ###############################################################
 # Override COPILOT_GITHUB_TOKEN with a random PAT from the pool.
+# Ensure this agentic jobs run from the isolated
+# `copilot-pat-pool` environment where the PAT pool is available.
 # This stop-gap will be removed when org billing is available.
 # See: .github/workflows/shared/pat_pool.README.md for more info.
 # ###############################################################
 imports:
   - shared/pat_pool.md
 
+environment: copilot-pat-pool
+
 engine:
   id: copilot
   env:
-    COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, secrets.COPILOT_GITHUB_TOKEN) }}
+    COPILOT_GITHUB_TOKEN: ${{ case(needs.pat_pool.outputs.pat_number == '0', secrets.COPILOT_PAT_0, needs.pat_pool.outputs.pat_number == '1', secrets.COPILOT_PAT_1, needs.pat_pool.outputs.pat_number == '2', secrets.COPILOT_PAT_2, needs.pat_pool.outputs.pat_number == '3', secrets.COPILOT_PAT_3, needs.pat_pool.outputs.pat_number == '4', secrets.COPILOT_PAT_4, needs.pat_pool.outputs.pat_number == '5', secrets.COPILOT_PAT_5, needs.pat_pool.outputs.pat_number == '6', secrets.COPILOT_PAT_6, needs.pat_pool.outputs.pat_number == '7', secrets.COPILOT_PAT_7, needs.pat_pool.outputs.pat_number == '8', secrets.COPILOT_PAT_8, needs.pat_pool.outputs.pat_number == '9', secrets.COPILOT_PAT_9, 'NO COPILOT PAT AVAILABLE') }}
 ```
 
 When the workflow is being updated by hand, the `engine.env.COPILOT_GITHUB_TOKEN` may be reformatted to use a multi-line YAML string for the expression if desired for improved readability.
@@ -266,4 +301,4 @@ Arrange top-level frontmatter keys in this order within the `---` markers:
 3. **Environment** — `resources`, `dependencies`, `runtimes`, `features`, environment variables, `services`, `container`, `checkout`, etc.
 4. **Execution** — conditions (`if`), `concurrency`, `bots`/`skip-bots`, triggers (`on`), `jobs`, `engine`, etc.
 
-The PAT pool integration naturally falls into the **Execution** group at the bottom. Keep the PAT pool content together as the last items in the frontmatter.
+The PAT pool integration naturally falls into the **Execution** group at the bottom, including the `environment` property that defines the _execution environment_ for the agentic job. Keep the PAT pool content together as the last items in the frontmatter.

.github/aw/actions-lock.json

@@ -1,9 +1,9 @@
 {
   "entries": {
-    "actions/checkout@v6.0.2": {
+    "actions/checkout@v6.0.3": {
       "repo": "actions/checkout",
-      "version": "v6.0.2",
-      "sha": "de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+      "version": "v6.0.3",
+      "sha": "df4cb1c069e1874edd31b4311f1884172cec0e10"
     },
     "actions/download-artifact@v8.0.1": {
       "repo": "actions/download-artifact",
@@ -15,10 +15,10 @@
       "version": "v9.0.0",
       "sha": "3a2844b7e9c422d3c10d287c895573f7108da1b3"
     },
-    "actions/setup-dotnet@v5.2.0": {
+    "actions/setup-dotnet@v5.3.0": {
       "repo": "actions/setup-dotnet",
-      "version": "v5.2.0",
-      "sha": "c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7"
+      "version": "v5.3.0",
+      "sha": "9a946fdbd5fb07b82b2f5a4466058b876ab72bb2"
     },
     "actions/setup-node@v6.4.0": {
       "repo": "actions/setup-node",
@@ -30,10 +30,10 @@
       "version": "v7.0.1",
       "sha": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
     },
-    "github/gh-aw-actions/setup@v0.71.5": {
+    "github/gh-aw-actions/setup@v0.79.8": {
       "repo": "github/gh-aw-actions/setup",
-      "version": "v0.71.5",
-      "sha": "b8068426813005612b960b5ab0b8bd2c27142323"
+      "version": "v0.79.8",
+      "sha": "c0338fef4749d08c21f8f975fb0e37efa17dda47"
     }
   }
 }