fix: escape regex metacharacters in workflow file pattern matching

[Copilot]

The sensitive file check in the auto-approval workflow had a regex pattern bug where the unescaped dot in .github/workflows/ acted as a wildcard, allowing false matches like _github/workflows/ or agithub/workflows/ to pass through.

Changes:

• Escaped the dot literal: .github/workflows/ → \.github/workflows/
• Added -E flag to grep for extended regex interpretation
• Updated to use bash array syntax for SENSITIVE_PATTERNS (merged from base branch)

- SENSITIVE_PATTERNS='
-   .github/workflows/
- '
+ SENSITIVE_PATTERNS=(
+   "\.github/workflows/"
+ )
  CHANGED_FILES=$(gh pr view "$PR_URL" --repo "$REPO" --json files | jq -r '.files[].path')
- for pattern in $SENSITIVE_PATTERNS; do
-   if echo "$CHANGED_FILES" | grep -q "^$pattern"; then
+ for pattern in "${SENSITIVE_PATTERNS[@]}"; do
+   if echo "$CHANGED_FILES" | grep -qE "^$pattern"; then

This ensures only paths starting with .github/workflows/ trigger the sensitive file block, preventing potential security bypass vectors.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[troinine]

@copilot please resolve conflicts first.

[Copilot]

@copilot please resolve conflicts first.

Conflicts resolved in commit 8fa0807. The merge successfully combines the array syntax from the base branch with the security fix (escaped dot and -E flag). The pattern matching now correctly blocks auto-approval for workflow file modifications while preventing false matches.