Live test passed ✅

Verified before merge via a stacked test PR (#1734, since closed): a nodejs/** change triggered sdk-consistency-review running this branch's org-billing lock. All jobs (activation → agent → detection → safe_outputs → conclusion) succeeded — the Copilot engine authenticated with the built-in GITHUB_TOKEN (no COPILOT_GITHUB_TOKEN PAT in scope), confirming org billing is enabled for this repo.

Post-merge follow-ups (not in this PR)

These only become relevant if the repo later upgrades gh-aw past v0.77.5, which introduces two guards this version predates:

• Daily AI-credit guardrail. Newer gh-aw caps per-workflow daily AIC (default 5,000). Given measured volume (sdk-consistency-review peaks ~44 runs/day), a busy day is roughly 12k–18k AIC, so the default would throttle the reviewer. Recommend setting repo variable GH_AW_DEFAULT_MAX_DAILY_AI_CREDITS to 50000 (≈3× headroom) at that point, and/or a cheaper per-workflow model override.
• Confused-deputy bot guard. Newer gh-aw blocks bot-authored events unless allowlisted. The only bot pushing to PRs here is dependabot, so add bots: ["dependabot"] under on: then (gh-aw may already exempt it by default — verify at upgrade time).

The two hand-rolled workflows (java-codegen-check.yml, java-smoke-test.yml) still use the PAT and are intentionally left for a follow-up.

Scope narrowed after review

Per discussion, this PR now migrates only the 7 internal, event-triggered workflows and leaves the 4 reusable (workflow_call) handle-* workflows on COPILOT_GITHUB_TOKEN.

Reason: handle-bug, handle-question, handle-enhancement, and handle-documentation are designed to be called from other repositories. A non-org caller repo cannot use org billing (there's no org Copilot tenant to bill against) and genuinely needs a PAT — so migrating them would break their cross-repo portability contract. That's a deliberate design decision for the maintainers, so this PR no longer touches them. This also resolves the Copilot review comments about the now-stale cross-repo COPILOT_GITHUB_TOKEN guidance (those workflows are unchanged from main).

Re-converted to draft for another look given the narrowed scope.

⚠️ Blocked — maintainer input needed (do not merge)

While validating, I found that the dispatcher + handlers are a coupled unit: issue-classification calls handle-bug / handle-question / handle-enhancement / handle-documentation locally (uses: ./.github/workflows/handle-*.lock.yml) and passes Copilot auth through to them. So those 5 workflows must share one auth mode — migrating issue-classification to org billing while leaving the handle-* workflows on the PAT means the dispatcher stops passing COPILOT_GITHUB_TOKEN, and the handlers' auth fails at runtime. (The current scoped diff has exactly this inconsistency and is therefore not mergeable as-is.)

Open question for maintainers: does any external / non-org repository invoke these reusable handle-* workflows via uses: github/copilot-sdk/.github/workflows/handle-*.lock.yml@..., or are they only ever called locally by issue-classification within this repo?

• If only local (org-owned repo): org billing works for them too → migrate the whole unit (all 11) to org billing.
• If external/non-org callers exist: keep the whole unit (issue-classification + the 4 handle-*) on the PAT, and migrate only the 6 standalone workflows (sdk-consistency-review, issue-triage, release-changelog, cross-repo-issue-analysis, java-codegen-fix, java-adapt-handwritten-code-to-accept-upgrade-changes).

Parking this in draft pending that answer. (Aside: a per-repo runtime gate — org billing in the org repo, PAT otherwise — is conceptually expressible via github.repository_owner, but gh-aw generates the lock and offers no conditional-billing knob today, so it isn't practical without a gh-aw feature.)