fix: recompile workflows with gh-aw v0.42.11 and postprocess

The lock files were manually edited by Copilot instead of being
generated through the proper gh-aw compile + postprocess pipeline.
This caused all agent jobs to fail with TS18003 because sparse-checkout
only fetched .github/.agents folders, missing src/ and package.json.

Recompiled with gh-aw v0.42.11 and ran postprocess-smoke-workflows.ts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

.github/workflows/agentics-maintenance.yml

@@ -13,7 +13,7 @@
 # \  /\  / (_) | | | | ( | | | | (_) \ V  V /\__ \
 #  \/  \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
 #
-# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.42.10). DO NOT EDIT.
+# This file was automatically generated by pkg/workflow/maintenance_workflow.go. DO NOT EDIT.
 #
 # To regenerate this workflow, run:
 #   gh aw compile
@@ -46,8 +46,15 @@ jobs:
       issues: write
       pull-requests: write
     steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        with:
+          sparse-checkout: |
+            actions
+          persist-credentials: false
+
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@v0.42.10
+        uses: ./actions/setup
         with:
           destination: /opt/gh-aw/actions
 
@@ -77,3 +84,118 @@ jobs:
             setupGlobals(core, github, context, exec, io);
             const { main } = require('/opt/gh-aw/actions/close_expired_pull_requests.cjs');
             await main();
+
+  compile-workflows:
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      issues: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+
+      - name: Setup Go
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build gh-aw
+        run: make build
+
+      - name: Compile workflows
+        run: |
+          ./gh-aw compile --validate --verbose
+          echo "✓ All workflows compiled successfully"
+
+      - name: Setup Scripts
+        uses: ./actions/setup
+        with:
+          destination: /opt/gh-aw/actions
+
+      - name: Check for out-of-sync workflows and create issue if needed
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io);
+            const { main } = require('/opt/gh-aw/actions/check_workflow_recompile_needed.cjs');
+            await main();
+
+  zizmor-scan:
+    runs-on: ubuntu-slim
+    needs: compile-workflows
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup Go
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build gh-aw
+        run: make build
+
+      - name: Run zizmor security scanner
+        run: |
+          ./gh-aw compile --zizmor --verbose
+          echo "✓ Zizmor security scan completed"
+
+  secret-validation:
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout actions folder
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        with:
+          sparse-checkout: |
+            actions
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: '22'
+
+      - name: Setup Scripts
+        uses: ./actions/setup
+        with:
+          destination: /opt/gh-aw/actions
+
+      - name: Validate Secrets
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          # GitHub tokens
+          GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
+          GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
+          GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}
+          GH_AW_COPILOT_TOKEN: ${{ secrets.GH_AW_COPILOT_TOKEN }}
+          # AI Engine API keys
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }}
+          # Integration tokens
+          NOTION_API_TOKEN: ${{ secrets.NOTION_API_TOKEN }}
+        with:
+          script: |
+            const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io);
+            const { main } = require('/opt/gh-aw/actions/validate_secrets.cjs');
+            await main();
+
+      - name: Upload secret validation report
+        if: always()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: secret-validation-report
+          path: secret-validation-report.md
+          retention-days: 30
+          if-no-files-found: warn