Harden workflow_call jobs against GHES output masking for artifact prefixes and target repo resolution

[Copilot]

GHES secret masking can blank activation job outputs when values contain secret-like substrings, causing downstream needs.activation.outputs.* consumers to resolve empty. That breaks artifact downloads (prefix loss) and cross-repo GitHub App/token flows (target_repo / target_repo_name loss).

• Artifact prefix: remove cross-job dependency in downstream jobs

  • Agent, conclusion, detection, and consolidated safe_outputs jobs now compute artifact-prefix locally via compute_artifact_prefix.sh.
  • Downstream artifact naming now uses step-local output (steps.artifact-prefix.outputs.prefix) instead of masked cross-job outputs.

• Target repo fallback hardening for workflow_call

  • Added shared expression helpers:
    • targetRepoExprForWorkflowCall() → ${{ needs.activation.outputs.target_repo || github.repository }}
    • targetRepoNameExprForWorkflowCall() → ${{ needs.activation.outputs.target_repo_name || github.event.repository.name }}
  • Applied these to downstream repo/owner resolution paths (checkout manager cross-repo target, safe-outputs dispatch target repo injection, GitHub App owner/repository fallback wiring).

• Compiler test updates

  • Updated expectations for local artifact prefix computation in workflow_call downstream jobs.
  • Updated expectations for target_repo* fallback expressions in GitHub App-related generated steps.

# Before (mask-sensitive cross-job output)
name: ${{ needs.activation.outputs.artifact_prefix }}agent
repositories: ${{ needs.activation.outputs.target_repo_name }}

# After (local prefix + resilient fallback)
name: ${{ steps.artifact-prefix.outputs.prefix }}agent
repositories: ${{ needs.activation.outputs.target_repo_name || github.event.repository.name }}