Add PAT pool support to agentic workflows

[vitek-karas]

Summary

• switch the agentic workflows to a numbered COPILOT_PAT_0..9 pool via a shared pat_pool import
• add PAT pool onboarding docs and a validate-pat-pool.yml workflow for ongoing secret validation
• recompile the generated lockfiles with gh-aw v0.80.9 and refresh the action lock metadata

Security review

• New secrets: COPILOT_PAT_0 through COPILOT_PAT_9
  • Reviewed as safe: these are only used to select a numbered Copilot PAT inside .github/workflows/shared/pat_pool.md, and the compiled workflows still pass the selected token only as COPILOT_GITHUB_TOKEN to the Copilot engine.
• New/updated actions:
  • github/gh-aw-actions/setup@v0.80.9
  • actions/cache/restore@v5.0.5
  • actions/cache/save@v5.0.5
  • actions/checkout@v7.0.0
  • existing actions/download-artifact@v8.0.1, actions/github-script@v9.0.0, actions/setup-node@v6.4.0, and actions/upload-artifact@v7.0.1 remained under gh-aw management
  • Reviewed as safe: all actions are GitHub-owned and were introduced by recompiling the workflows with the updated gh-aw toolchain.
• Redirect changes: none

Validation

• gh-aw.exe compile .github/workflows/maestro-auto-merge.agent.md --schedule-seed dotnet/xharness --no-check-update --force --approve --verbose
• gh-aw.exe compile .github/workflows/runtime-failure-observer.agent.md --schedule-seed dotnet/xharness --no-check-update --force --approve --verbose

[vitek-karas]

Note

AI-generated CI triage prepared with GitHub Copilot. Please verify details
before taking action.

I reviewed the current CI failures for this PR that Build Analysis did not already recognize.

Already tracked problems

• E2E Android - Manual Commands Helix Tests Build_Debug - System.Numerics.Vectors.Tests-x86.WorkItemExecution timed out after the Android emulator stayed offline
  • Tracked by: #1623 - E2E Android - Manual Commands leg fails: emulator stays offline
  • Why it matches: the Helix console log shows emulator-5554 staying offline for the full retry window on ubuntu.2204.amd64.android.29.open, which matches the issue’s summary and scope.

Build Analysis gaps

• Build Analysis identified the failing work item as an unknown failure and offered a “Create issue in this repo” link, but it appears to have missed the existing tracking issue #1623.
• The concrete failure evidence is in the Helix console log, where emulator-5554 remains offline until the workload times out.