fix: restore HTTPS_PROXY, fix chroot hosts/permissions, fix Bun crash

Four fixes for CI failures introduced by recent agent-authored PRs:

1. Restore HTTPS_PROXY in agent container (fixes #529)
   - HTTPS requires CONNECT method through Squid port 3128
   - Only HTTP_PROXY should be removed (intercept mode handles HTTP)

2. Copy container /etc/hosts to chroot (fixes Smoke Copilot)
   - Docker extra_hosts (host.docker.internal) only in container /etc/hosts
   - Chroot sees host's /etc/hosts which lacks this entry
   - Backup/copy/restore pattern like resolv.conf

3. Add .copilot directory permissions step (fixes Smoke Chroot)
   - sudo install creates root-owned ~/.copilot
   - Pre-create with runner:runner ownership in smoke-chroot.md

4. Use setup-bun action for Build Test Bun (fixes core dump)
   - Bun crashes when installed inside chroot (restricted /proc)
   - Install on host via oven-sh/setup-bun@v2, available in chroot via PATH

All smoke/build-test .md files include actions/checkout step for full
repo checkout (needed by postprocess local build).

Fixes #529

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

.github/workflows/agentics-maintenance.yml

@@ -13,7 +13,7 @@
 # \  /\  / (_) | | | | ( | | | | (_) \ V  V /\__ \
 #  \/  \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
 #
-# This file was automatically generated by pkg/workflow/maintenance_workflow.go (v0.42.0). DO NOT EDIT.
+# This file was automatically generated by pkg/workflow/maintenance_workflow.go. DO NOT EDIT.
 #
 # To regenerate this workflow, run:
 #   gh aw compile
@@ -33,7 +33,7 @@ name: Agentic Maintenance
 
 on:
   schedule:
-    - cron: "37 0 * * *"  # Daily (based on minimum expires: 30 days)
+    - cron: "37 0 * * *"  # Daily (based on minimum expires: 7 days)
   workflow_dispatch:
 
 permissions: {}
@@ -47,7 +47,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Setup Scripts
-        uses: github/gh-aw/actions/setup@v0.42.0
+        uses: github/gh-aw/actions/setup@v0.42.2-28-gfba53102d
         with:
           destination: /opt/gh-aw/actions
 

.github/workflows/build-test-bun.lock.yml

@@ -11,12 +11,14 @@ permissions:
   issues: read
 name: Build Test Bun
 engine: copilot
+runtimes:
+  bun:
+    version: "latest"
 network:
   allowed:
     - defaults
     - github
     - node
-    - "bun.sh"
 tools:
   bash:
     - "*"
@@ -35,6 +37,11 @@ timeout-minutes: 15
 strict: true
 env:
   GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
+steps:
+  - name: Checkout repository
+    uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    with:
+      persist-credentials: false
 ---
 
 # Build Test: Bun
@@ -43,12 +50,7 @@ env:
 
 ## Test Requirements
 
-1. **Install Bun**:
-   ```bash
-   curl -fsSL https://bun.sh/install | bash
-   export BUN_INSTALL="$HOME/.bun"
-   export PATH="$BUN_INSTALL/bin:$PATH"
-   ```
+1. **Verify Bun**: Bun is pre-installed. Run `bun --version` to confirm it's available on PATH.
 
 2. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-bun /tmp/test-bun`
    - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
@@ -81,7 +83,7 @@ If ANY test fails, report the failure with error details.
 **CRITICAL**: This workflow MUST fail visibly when errors occur:
 
 1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
-2. **Bun install failure**: Call `safeoutputs-missing_tool` with "BUN_INSTALL_FAILED: [error message]"
+2. **Bun not available**: If `bun --version` fails, call `safeoutputs-missing_tool` with "BUN_NOT_FOUND: bun not available on PATH"
 3. **Test failure**: Report in comment table with FAIL status and include failure details
 
 DO NOT report success if any step fails. The workflow should produce a clear, actionable error message.

.github/workflows/build-test-bun.md

@@ -33,6 +33,11 @@ timeout-minutes: 30
 strict: true
 env:
   GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
+steps:
+  - name: Checkout repository
+    uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    with:
+      persist-credentials: false
 ---
 
 # Build Test: C++

.github/workflows/build-test-cpp.lock.yml

@@ -37,6 +37,11 @@ timeout-minutes: 15
 strict: true
 env:
   GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
+steps:
+  - name: Checkout repository
+    uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    with:
+      persist-credentials: false
 ---
 
 # Build Test: Deno

.github/workflows/build-test-cpp.md

@@ -37,6 +37,11 @@ timeout-minutes: 15
 strict: true
 env:
   GH_TOKEN: "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}"
+steps:
+  - name: Checkout repository
+    uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    with:
+      persist-credentials: false
 ---
 
 # Build Test: Go