Grant bash execution permissions to Daily Workflow Updater

[Copilot]

Daily Workflow Updater fails with missing_tool errors when attempting to execute gh aw update and git commands. The workflow's bash configuration used an explicit command allowlist which doesn't properly enable bash tool execution.

Changes

• .github/workflows/daily-workflow-updater.md: Replace bash command allowlist with bash: true
• .github/workflows/daily-workflow-updater.lock.yml: Regenerated with --allow-all-tools flag

Technical Details

The frontmatter bash configuration:

# Before: explicit command list (non-functional)
tools:
  bash:
    - "gh aw update --verbose"
    - "git status"
    # ...

# After: boolean flag
tools:
  bash: true

The compiler transforms bash: true → wildcard ["*"] → Copilot CLI --allow-all-tools flag, granting unrestricted bash execution to the agent.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Grant Bash Execution Permissions to Daily Workflow Updater</issue_title>
<issue_description>## Objective

Fix permission denied errors preventing the Daily Workflow Updater from executing bash commands, specifically gh aw update and action update checks.

Context

From Discussion github/gh-aw#14345, the Daily Workflow Updater §21779197565 cannot execute bash commands due to permission restrictions. This prevents the workflow from:

• Running gh aw update to update workflow files
• Checking for action updates
• Performing any bash-based automation

Approach

1. Review the Daily Workflow Updater workflow configuration
2. Check if bash tool execution is enabled in frontmatter
3. Verify required GitHub Actions permissions are granted
4. Add missing tool permissions in workflow frontmatter:

   tools:
     bash:
       enabled: true

5. Test workflow can successfully execute bash commands
6. Verify gh aw update command works correctly

Files to Modify

• .github/workflows/daily-workflow-updater.md - Add bash tool permissions
• Possibly .github/workflows/daily-workflow-updater.lock.yml - Will be regenerated

Acceptance Criteria

• Bash execution permissions added to workflow frontmatter
• Workflow recompiled with make recompile
• Test run confirms bash commands execute successfully
• gh aw update command works without permission errors
• Action update checks complete successfully

AI generated by Plan Command for discussion #14345

• expires on Feb 9, 2026, 2:05 PM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Grant Bash Execution Permissions to Daily Workflow Updater #14353

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Updates the Daily Workflow Updater agentic workflow to correctly grant bash execution permissions so it can run gh aw update and supporting git commands without missing_tool failures.

Changes:

• Switch workflow frontmatter from a bash command allowlist to bash: true.
• Regenerate the compiled .lock.yml to use Copilot CLI --allow-all-tools.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/daily-workflow-updater.md	Enables unrestricted bash tool execution via bash: true in frontmatter.
.github/workflows/daily-workflow-updater.lock.yml	Updates compiled workflow to pass --allow-all-tools to Copilot CLI and refreshes frontmatter hash.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The generated comment block for Copilot CLI tool args is now misleading: it prints # Copilot CLI tool arguments (sorted): but no entries, even though the command uses --allow-all-tools. This appears to come from generateCopilotToolArgumentsComment iterating args as flag/value pairs; --allow-all-tools is a standalone flag so it never renders. Consider updating the comment generator to handle single flags (emit # --allow-all-tools) so compiled workflows remain auditable.

Suggested change

	# Copilot CLI tool arguments (sorted):
	# Copilot CLI tool arguments (sorted):
	# --allow-all-tools