fix: id-token: read is invalid in GitHub Actions — use none

[Copilot]

GitHub Actions rejects id-token: read as an invalid permission value; id-token only accepts none or write. The compiled lock workflows (issue-triage.lock.yml, bump-tcgc-csharp.lock.yml) had this set to read (expanded from all: read in the source .md), causing workflow validation failures.

• Changed id-token: read → id-token: none in both lock files; these workflows don't use OIDC tokens.
• Updated check-agentic-workflows.yml to apply a sed substitution (id-token: read → id-token: none) after gh aw compile runs but before the drift check, to account for a bug in gh aw compile v0.79.8 that generates the invalid id-token: read when expanding all: read in tokenless mode.

[timotheeguerin]

@copilot review the doc here https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/ to make sure you implemented correctly the tokenless agentic workflows

[Copilot]

@copilot review the doc here https://github.blog/changelog/2026-06-11-agentic-workflows-no-longer-need-a-personal-access-token/ to make sure you implemented correctly the tokenless agentic workflows

The tokenless implementation is already correct in both lock files:

1. COPILOT_GITHUB_TOKEN: ${{ github.token }} (not a PAT/secret) — lines 845/1400 in issue-triage.lock.yml, lines 830/1376 in bump-tcgc-csharp.lock.yml
2. copilot-requests: write permission declared in each job that needs Copilot access

The original failure was purely about id-token: read being an invalid GitHub Actions permission value — id-token only accepts none or write. This was a side-effect of gh aw compile naively expanding all: read from the .md source to all permissions, including id-token. Setting it to none is the correct fix since these workflows don't use OIDC tokens.

[timotheeguerin]

@copilot agentic workflow check lock files fialing https://github.com/microsoft/typespec/actions/runs/28190260114/job/83502712063?pr=11095

[Copilot]

@copilot agentic workflow check lock files fialing https://github.com/microsoft/typespec/actions/runs/28190260114/job/83502712063?pr=11095

The CI failure was because gh aw compile v0.79.8 generates id-token: read (invalid in GitHub Actions) when expanding all: read in the tokenless mode. Our lock files had id-token: none (correct), but the check was running gh aw compile and diffing the output, which still had id-token: read.

Fixed in commit by updating check-agentic-workflows.yml to apply a sed substitution (id-token: read → id-token: none) after gh aw compile runs but before the diff check. The local simulation now passes cleanly.