Refactor setup-safe-inputs to use file copying instead of inline embedding

[Copilot]

JavaScript files for safe-inputs MCP server were embedded directly into workflow YAML, preventing natural require() usage between modules. This made the files ~55KB larger per workflow and deviated from the pattern used by setup-safe-outputs.

Changes

• setup-safe-inputs action: Converted from node20 (embedded FILES) to composite action with copy-files.sh script
• Workflow compiler: Modified pkg/workflow/mcp_servers.go to call setup-safe-inputs action instead of writing JavaScript inline
• Build system: Updated pkg/cli/actions_build_command.go to copy 10 dependencies to actions/setup-safe-inputs/js/

Pattern

Both setup actions now follow the same approach:

# Before: ~4000 lines of embedded JavaScript in YAML
- name: Setup Safe Inputs JavaScript and Config
  run: |
    cat > /tmp/gh-aw/safe-inputs/read_buffer.cjs << 'EOF_READ_BUFFER'
    # ... 100+ lines of JavaScript ...
    
# After: Action copies files that can require() each other
- name: Setup Safe Inputs JavaScript Files
  uses: ./actions/setup-safe-inputs
  with:
    destination: /tmp/gh-aw/safe-inputs

Files now use standard require("./mcp_server_core.cjs") instead of runtime workarounds.

Impact

• 300KB total reduction across all workflows (29.3 MB → 29.0 MB)
• smoke-copilot-safe-inputs: 294KB → 239KB

Original prompt

Reference: https://github.com/githubnext/gh-aw/actions/runs/20480096423/job/58851886504#step:47:1

These files are copied by the action and can be required instead of inlined.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.