fix(daily-security-observability): prevent step timeout downloading integrity-filtered logs

[Copilot]

gh aw logs --filtered-integrity was downloading all artifacts for every run over 7 days (no filter → gigabytes of data). The step ran ~10 min before the runner was killed; the AI agent never started.

Step fix

• Add --artifacts mcp — only the MCP gateway artifact (gateway.jsonl) is needed by runHasDifcFilteredItems(); eliminates the bulk of the download
• Add --timeout 8 — caps execution within the 60-min job budget
• Add || true — transient API errors or a timeout exit no longer fail the step
• Replace bare redirect with jq -e '.runs' validity check; writes a safe empty fallback on bad/missing output
• Fix count: jq '.runs | length' instead of jq '. | length' (was counting object keys, not runs)

-gh aw logs --filtered-integrity --start-date -7d --json -c 200 \
-  > /tmp/gh-aw/agent/integrity/filtered-logs.json
+gh aw logs --filtered-integrity --start-date -7d --json -c 200 \
+  --artifacts mcp --timeout 8 \
+  > /tmp/gh-aw/agent/integrity/filtered-logs.json || true
+
+if ! jq -e '.runs' /tmp/gh-aw/agent/integrity/filtered-logs.json > /dev/null 2>&1; then
+  echo '{"runs":[],"summary":{"total_runs":0}}' > /tmp/gh-aw/agent/integrity/filtered-logs.json
+fi

Prompt fix

• databaseId → run_id — RunData serializes the run ID as run_id; the old name would cause the agent to look for a non-existent field
• Clarify Step 3.1 check: "If the runs array is empty or missing" (file is a LogsData object, not a bare array)

[Copilot]

Pull request overview

This PR updates the daily-security-observability workflow to prevent gh aw logs --filtered-integrity from triggering large, unbounded artifact downloads that can cause the workflow step (and runner) to time out before the agent starts. It narrows the download to only the MCP artifact set, adds an explicit CLI timeout, and hardens the step against transient failures by validating (and defaulting) the produced JSON.

Changes:

• Limit gh aw logs downloads to --artifacts mcp and cap runtime with --timeout 8.
• Prevent step failure on transient errors/timeouts and ensure a valid LogsData JSON fallback via jq -e '.runs'.
• Fix prompt instructions to reference runs[].run_id and the runs array shape.

Show a summary per file

File	Description
.github/workflows/daily-security-observability.md	Narrows and hardens DIFC-filtered log download; updates prompt to match LogsData / RunData JSON fields.
.github/workflows/daily-security-observability.lock.yml	Regenerates the compiled workflow to reflect the updated download/validation logic.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0