Update smoke-Claude to import go-make shared workflow (#11513)

[log] Add debug logging to safe outputs and runtime step generation (#…

…11461)

docs: Document remove-labels safe output type (#11425)

[code-scanning-fix] Fix go/unsafe-quoting: Escape single quotes in JS…

…ON data (#11382)

* Fix go/unsafe-quoting: Escape single quotes in JSON data

- Add proper shell escaping for JSON data embedded in environment variables
- Prevents potential command injection via single quotes in user data
- Fixes CodeQL alert #538 (Critical severity)
- Uses POSIX-compatible '\''escaping technique

Security: Addresses CWE-78, CWE-89, CWE-94

* Replace manual quote escaping with %q format specifier (#11386)

* Initial plan

* Use %q for JSON escaping in YAML dictionary values

Replaced manual single-quote escaping with Go's %q format specifier, which:
- Automatically handles all special characters and escaping
- Produces cleaner YAML with double quotes instead of single quotes
- Follows existing codebase patterns (e.g., add_comment.go)
- Simplifies code by removing manual string replacement logic

This addresses the feedback to use simpler escaping for JSON data in YAML dictionary values.

Co-authored-by: pelikhan <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: pelikhan <[email protected]>

* Replace manual quote escaping with %q format specifier for YAML encoding (#11392)

* Initial plan

* Recompile workflows after security fix

Co-authored-by: pelikhan <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: pelikhan <[email protected]>

* Add changeset [skip-ci]

---------

Co-authored-by: Code Scanning Fixer Bot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: pelikhan <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Add campaign labels to worker workflows for discovery (#11384)

docs: document --push flag safety features (#11367)

Updates CLI documentation to reflect the safety features added to the
--push flag in PR #11343:

- Remote repository requirement
- Default branch validation
- User confirmation prompt (auto-confirmed in CI)

Updated documentation for:
- gh aw init --push
- gh aw run --push
- gh aw upgrade --push

Co-authored-by: Claude Sonnet 4.5 <[email protected]>

Add safe-inputs gh CLI testing to smoke workflows (#11299)

Allow id-token: write permission in strict mode (#11307)

Update MCP Gateway to v0.0.76 (#11258)

Add version check to upgrade command to enforce latest extension (#11187

)