Allow overriding agentic engine env vars with custom secrets in engine.env

[Copilot]

• Update FilterEnvForSecrets to allow secrets where the env var KEY is in the allowed set (enabling override of engine env vars like COPILOT_GITHUB_TOKEN: ${{ secrets.MY_ORG_TOKEN }})
• Add getEngineBaseEnvVarKeys helper that looks up the engine in the registry and returns its base required env var key names
• Update validateEnvSecretsSection to accept allowed env var keys and skip those when checking engine.env secrets
• Update validateEnvSecrets to look up the engine's base required secret names and pass them as allowed keys for engine.env validation
• Add/update tests for both changes
• Code review feedback addressed
• Update wasm golden test files to reflect new compiled output
• Recompile workflow lock files
• Rename allowedSecrets param to allowedNamesAndKeys and update docs to reflect dual-purpose allowlist
• Add nil guard for allowedEnvVarKeys in validateEnvSecretsSection

Original prompt

Update the engine.env secret filtering to allow overriding the agentic engine environment variables. No other engine.env var is allowed to have secrets.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot fix tests

Fix https://github.com/github/gh-aw/actions/runs/22231235044/job/64311625729#step:9:1

[Copilot]

Pull request overview

This PR updates engine.env secret handling so users can override engine-required environment variables (e.g. COPILOT_GITHUB_TOKEN) with differently-named org secrets, while still rejecting secrets in any other engine.env keys.

Changes:

• Update runtime env filtering (FilterEnvForSecrets) to allow a secret reference when either the referenced secret name or the env var key is allowlisted.
• Update strict-mode validation to exempt engine-required env var keys from secret detection within engine.env, using engine registry lookup to derive an allowlist.
• Add tests covering the new override behavior and ensuring non-engine secret keys still fail.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
pkg/workflow/strict_mode_validation.go	Adds engine-based allowlist for engine.env secret validation and new helper to derive base required keys.
pkg/workflow/engine_helpers.go	Adjusts runtime secret filtering to allow overrides based on env var key allowlisting.
pkg/workflow/env_secrets_validation_test.go	Adds strict-mode tests for allowed override + still-failing non-engine secret keys.
pkg/workflow/engine_helpers_secrets_test.go	Adds tests for allowing override with differently named secret and still filtering unrelated secrets.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@copilot fix tests

Fix https://github.com/github/gh-aw/actions/runs/22231235044/job/64311625729#step:9:1

Fixed in 792404f. The wasm golden test files were out of date — updated them with go test -update and recompiled all workflow lock files.