Enable Actions token-based Copilot inference and document accepted IMF secret warning in news workflows

[Copilot]

gh aw compile produced two classes of noise across the 14 news-*.md agentic workflows: an info tip recommending permissions.copilot-requests: write, and one advisory warning per file about ${{ secrets.IMF_SDMX_SUBSCRIPTION_KEY }} appearing in the steps: section. The first is actionable; the second is intentional design (the agent makes live authenticated IMF SDMX calls) and is accepted (Option A) rather than re-architected.

Permissions — copilot-requests: write

• Added copilot-requests: write to the permissions: block of all 14 news-*.md workflows.
• Recompiled with gh aw compile --purge; compiled lock files now use COPILOT_GITHUB_TOKEN: ${{ github.token }} (Actions token-based inference) instead of a PAT, and the info tip is gone.

permissions:
  contents: read
  # …
  security-events: read
  copilot-requests: write   # GitHub Actions token-based Copilot inference (requires org centralized Copilot billing)

Documentation — accepted IMF warning (Option A)

• Added an "Accepted compile warnings" section to .github/workflows/README.md covering why the IMF_SDMX_SUBSCRIPTION_KEY-in-steps: warning is expected (agent runs live imf-fetch.ts sdmx calls), why it is safe (::add-mask:: + GH_AW_SECRET_NAMES redaction), why strict: true is not viable (forbids the custom MCP egress domain / write perms / bash wildcards), and the Option-C path for a zero-secrets-in-agent posture.
• Updated the permissions table row to include copilot-requests: write with the billing caveat.

Notes

• The 14 IMF secret warnings persist by design; compile remains green (0 error(s)).
• Lock files were regenerated from .md sources via --purge — none were hand-edited.

[github-actions]

🏷️ Automatic Labeling Summary

This PR has been automatically labeled based on the files changed and PR metadata.

Applied Labels: size-xs

Label Categories

• 🗳️ Content: news, dashboard, visualization, intelligence
• 💻 Technology: html-css, javascript, workflow, security
• 📊 Data: cia-data, riksdag-data, data-pipeline, schema
• 🌍 I18n: i18n, translation, rtl
• 🔒 ISMS: isms, iso-27001, nist-csf, cis-controls
• 🏗️ Infrastructure: ci-cd, deployment, performance, monitoring
• 🔄 Quality: testing, accessibility, documentation, refactor
• 🤖 AI: agent, skill, agentic-workflow

For more information, see .github/labeler.yml.

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[Copilot]

Pull request overview

This PR updates the 14 news-*.md agentic workflows to enable GitHub Actions token-based Copilot inference (removing the need for a PAT-based COPILOT_GITHUB_TOKEN secret in compiled workflows) and documents the intentionally accepted gh aw compile warning related to forwarding IMF_SDMX_SUBSCRIPTION_KEY into the agent job.

Changes:

• Add permissions.copilot-requests: write across all news-*.md workflows to support Actions token-based Copilot inference.
• Regenerate the 14 compiled news-*.lock.yml workflows so COPILOT_GITHUB_TOKEN is sourced from ${{ github.token }} and PAT secret validation/redaction wiring is removed.
• Extend .github/workflows/README.md with an “Accepted compile warnings” section explaining and justifying the IMF secret warning.

Reviewed changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/README.md	Documents the added copilot-requests: write permission and adds rationale for the accepted IMF secret compile warning.
.github/workflows/news-committee-reports.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-election-cycle.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-evening-analysis.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-interpellations.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-month-ahead.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-monthly-review.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-motions.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-propositions.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-quarter-ahead.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-realtime-monitor.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-translate.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-week-ahead.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-weekly-review.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-year-ahead.md	Adds copilot-requests: write to enable Actions token-based Copilot inference.
.github/workflows/news-committee-reports.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-election-cycle.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-evening-analysis.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-interpellations.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-month-ahead.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-monthly-review.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-motions.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-propositions.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-quarter-ahead.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-realtime-monitor.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-translate.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-week-ahead.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-weekly-review.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.
.github/workflows/news-year-ahead.lock.yml	Regenerated output: switches Copilot auth to ${{ github.token }} and reflects new permissions/redaction wiring.