[plan] Fix artipacked credential persistence in daily-copilot-token-report workflow

[github-actions]

Objective

Fix the medium severity security finding (artipacked) in daily-copilot-token-report.lock.yml to prevent credential persistence through GitHub Actions artifacts.

Context

From discussion #15009 - Static analysis identified credential persistence risk at line 115 of the workflow. This has been recurring since Feb 5.

Zizmor Finding:

• Severity: Medium
• Location: Line 115
• Description: Credentials may persist through GitHub Actions artifacts
• Impact: Potential credential exposure if artifacts are publicly accessible
• Reference: docs.zizmor.sh/rules/artipacked

Approach

1. Review daily-copilot-token-report.lock.yml (line 115) to identify artifact upload with credentials
2. Check the source .md workflow file for the corresponding frontmatter/configuration
3. Evaluate if token persistence through artifacts is necessary:
   • If necessary: Ensure artifacts are private, time-limited, and properly scoped
   • If not necessary: Remove artifact upload or sanitize content before upload
4. Update the workflow to eliminate the security finding
5. Recompile the workflow with make recompile
6. Verify the fix with gh aw compile --zizmor or similar validation

Files to Modify

• .github/workflows/daily-copilot-token-report.md (source workflow)
• .github/workflows/daily-copilot-token-report.lock.yml (will be regenerated)

Acceptance Criteria

• artipacked finding eliminated from zizmor scan
• No credentials persist in artifacts (or properly secured if required)
• Workflow recompiled successfully
• Workflow still functions as intended

AI generated by Plan Command for discussion #15009

• expires on Feb 14, 2026, 1:28 AM UTC