refactor: update JavaScript and shell scripts to use RUNNER_TEMP paths

Updates runtime JavaScript (.cjs) and shell (.sh) scripts to use
process.env.RUNNER_TEMP and $RUNNER_TEMP instead of hardcoded /opt/gh-aw.
Also adds write access validation for RUNNER_TEMP in setup.sh.

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

Author: Copilot

.github/workflows/ci.yml

@@ -825,8 +825,8 @@ jobs:
         run: cd actions/setup/js && npm ci
       - name: Setup prompt templates for tests
         run: |
-          mkdir -p /opt/gh-aw/prompts
-          cp actions/setup/md/*.md /opt/gh-aw/prompts/
+          mkdir -p ${{ runner.temp }}/gh-aw/prompts
+          cp actions/setup/md/*.md ${{ runner.temp }}/gh-aw/prompts/
       - name: Run tests
         run: cd actions/setup/js && npm test
 

.github/workflows/copilot-maintenance.yml

@@ -41,9 +41,9 @@ jobs:
           GH_AW_REQUIRED_ROLES: "admin"
         with:
           script: |
-            const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
             setupGlobals(core, github, context, exec, io);
-            const { checkRepositoryPermission } = require('/opt/gh-aw/actions/check_permissions_utils.cjs');
+            const { checkRepositoryPermission } = require('${{ runner.temp }}/gh-aw/actions/check_permissions_utils.cjs');
             
             const actor = context.actor;
             const { owner, repo } = context.repo;

.github/workflows/smoke-claude.lock.yml

@@ -128,7 +128,7 @@ async function main() {
 
   // Read the issue template from the prompts directory
   // Allow override via environment variable for testing
-  const promptsDir = process.env.GH_AW_PROMPTS_DIR || "/opt/gh-aw/prompts";
+  const promptsDir = process.env.GH_AW_PROMPTS_DIR || `${process.env.RUNNER_TEMP}/gh-aw/prompts`;
   const templatePath = `${promptsDir}/workflow_recompile_issue.md`;
   let issueTemplate;
   try {

actions/setup/js/check_workflow_recompile_needed.cjs

@@ -276,7 +276,7 @@ Pull request #${pullRequest.number} is closed. The checkout failed because the b
     core.setOutput("checkout_pr_success", "false");
 
     // Load and render step summary template
-    const templatePath = "/opt/gh-aw/prompts/pr_checkout_failure.md";
+    const templatePath = `${process.env.RUNNER_TEMP}/gh-aw/prompts/pr_checkout_failure.md`;
     const template = fs.readFileSync(templatePath, "utf8");
     const summaryContent = renderTemplate(template, {
       error_message: errorMsg,

actions/setup/js/checkout_pr_branch.cjs

@@ -17,7 +17,7 @@ async function main() {
     const { resolveAllowedMentionsFromPayload } = require("./resolve_mentions_from_payload.cjs");
 
     // Load validation config from file and set it in environment for the validator to read
-    const validationConfigPath = process.env.GH_AW_VALIDATION_CONFIG_PATH || "/opt/gh-aw/safeoutputs/validation.json";
+    const validationConfigPath = process.env.GH_AW_VALIDATION_CONFIG_PATH || `${process.env.RUNNER_TEMP}/gh-aw/safeoutputs/validation.json`;
     let validationConfig = null;
     try {
       if (fs.existsSync(validationConfigPath)) {
@@ -155,7 +155,7 @@ async function main() {
     }
     const outputFile = process.env.GH_AW_SAFE_OUTPUTS;
     // Read config from file instead of environment variable
-    const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || "/opt/gh-aw/safeoutputs/config.json";
+    const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || `${process.env.RUNNER_TEMP}/gh-aw/safeoutputs/config.json`;
     let safeOutputsConfig;
     core.info(`[INGESTION] Reading config from: ${configPath}`);
     try {

actions/setup/js/collect_ndjson_output.cjs

@@ -177,7 +177,7 @@ function createParentIssueTemplate(groupId, titlePrefix, workflowName, workflowS
   const title = applyTitlePrefix(`${groupId} - Issue Group`, titlePrefix);
 
   // Load issue template
-  const issueTemplatePath = "/opt/gh-aw/prompts/issue_group_parent.md";
+  const issueTemplatePath = `${process.env.RUNNER_TEMP}/gh-aw/prompts/issue_group_parent.md`;
   const issueTemplate = fs.readFileSync(issueTemplatePath, "utf8");
 
   // Create template context

actions/setup/js/create_issue.cjs

@@ -20,7 +20,7 @@ const main = buildMissingIssueHandler({
   defaultTitlePrefix: "[missing data]",
   defaultLabels: ["agentic-workflows"],
   itemsField: "missing_data",
-  templatePath: "/opt/gh-aw/prompts/missing_data_issue.md",
+  templatePath: `${process.env.RUNNER_TEMP}/gh-aw/prompts/missing_data_issue.md`,
   templateListKey: "missing_data_list",
   buildCommentHeader: runUrl => [`## Missing Data Reported`, ``, `The following data was reported as missing during [workflow run](${runUrl}):`, ``],
   renderCommentItem: (item, index) => {

actions/setup/js/create_missing_data_issue.cjs

@@ -20,7 +20,7 @@ const main = buildMissingIssueHandler({
   defaultTitlePrefix: "[missing tool]",
   defaultLabels: ["agentic-workflows"],
   itemsField: "missing_tools",
-  templatePath: "/opt/gh-aw/prompts/missing_tool_issue.md",
+  templatePath: `${process.env.RUNNER_TEMP}/gh-aw/prompts/missing_tool_issue.md`,
   templateListKey: "missing_tools_list",
   buildCommentHeader: runUrl => [`## Missing Tools Reported`, ``, `The following tools were reported as missing during [workflow run](${runUrl}):`, ``],
   renderCommentItem: (tool, index) => {

actions/setup/js/create_missing_tool_issue.cjs

@@ -957,7 +957,7 @@ ${patchPreview}`;
         // Use the push-failed template with artifact download instructions.
         const runId = context.runId;
         const patchFileName = patchFilePath ? patchFilePath.replace("/tmp/gh-aw/", "") : "aw-unknown.patch";
-        const pushFailedTemplatePath = "/opt/gh-aw/prompts/manifest_protection_push_failed_fallback.md";
+        const pushFailedTemplatePath = `${process.env.RUNNER_TEMP}/gh-aw/prompts/manifest_protection_push_failed_fallback.md`;
         const pushFailedTemplate = fs.readFileSync(pushFailedTemplatePath, "utf8");
         fallbackBody = renderTemplate(pushFailedTemplate, {
           body,
@@ -975,7 +975,7 @@ ${patchPreview}`;
         const encodedBase = baseBranch.split("/").map(encodeURIComponent).join("/");
         const encodedHead = branchName.split("/").map(encodeURIComponent).join("/");
         const createPrUrl = `${githubServer}/${repoParts.owner}/${repoParts.repo}/compare/${encodedBase}...${encodedHead}?expand=1&title=${encodeURIComponent(title)}`;
-        const templatePath = "/opt/gh-aw/prompts/manifest_protection_create_pr_fallback.md";
+        const templatePath = `${process.env.RUNNER_TEMP}/gh-aw/prompts/manifest_protection_create_pr_fallback.md`;
         const template = fs.readFileSync(templatePath, "utf8");
         fallbackBody = renderTemplate(template, {
           body,