feat: portable GH_AW_HOME for self-hosted runner support

[Mossaka]

Summary

• Replace all hardcoded /opt/gh-aw/ paths with a GH_AW_HOME environment variable (defaults to /opt/gh-aw, falls back to $RUNNER_TEMP/gh-aw on self-hosted runners)
• setup.sh auto-detects a writable path and exports GH_AW_HOME to $GITHUB_ENV for all subsequent steps
• Shell contexts use ${GH_AW_HOME:-/opt/gh-aw}/..., JS require() uses (process.env.GH_AW_HOME || '/opt/gh-aw') + '/...'
• All 165 lock files recompiled with new path patterns

Why: GitHub-hosted runners allow writing to /opt/, but self-hosted runners typically don't — requiring admins to sudo mkdir -p /opt/gh-aw && sudo chmod 777 /opt/gh-aw. This change makes gh-aw work out of the box on both.

Security: $RUNNER_TEMP/gh-aw is NOT mounted into the AWF agent container (only $GITHUB_WORKSPACE and /tmp are writable to the agent), so the security model is preserved.

Test plan

• make build succeeds
• make test-unit — all tests pass (updated 36 test files + 3 golden fixtures)
• make test-js — all 209 JS test files pass (4928 tests)
• make golint-incremental BASE_REF=HEAD — 0 issues
• make recompile — all 165 lock files regenerated
• Verified compiled .lock.yml files use $GH_AW_HOME patterns correctly
• Smoke test on GitHub-hosted runner (backward compat: default /opt/gh-aw still works)

🤖 Generated with Claude Code

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

❌ Tool validation failed! Agent Container Smoke Test detected missing tools: failed

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[pelikhan]

@copilot recompile, review code and simplify if possible (by compile resolved value and avoid repeating magic string)

[Copilot]

@pelikhan I've opened a new pull request, #19793, to work on those changes. Once the pull request is ready, I'll request review from you.

[pelikhan]

@copilot merge main and recompile

[Copilot]

@pelikhan I've opened a new pull request, #19817, to work on those changes. Once the pull request is ready, I'll request review from you.

[pelikhan]

@copilot define an environment variable on the job level to avoid repeating the macro everywhere

[Copilot]

@pelikhan I've opened a new pull request, #19823, to work on those changes. Once the pull request is ready, I'll request review from you.

[pelikhan]

@copilot merge main and recompile

[github-actions]

Hey @Mossaka 👋 — thanks for the ambitious work on GH_AW_HOME portability! Making gh-aw work out-of-the-box on self-hosted runners is a genuinely useful improvement, and the security analysis in the PR body is thoughtful. A few things would help get this across the finish line:

---

🔍 Checklist

Check	Result
On-topic	✅ yes
Follows process	⚠️ unclear (see below)
Focused	❌ no
New deps	✅ no
Has tests	✅ yes
Has description	✅ yes
Lines changed	31,443

---

⚠️ Issues Found

1. Unfocused — Multiple unrelated features bundled together

The PR title says "portable GH_AW_HOME for self-hosted runner support", but the diff actually ships three distinct features:

• GH_AW_HOME path portability — the stated goal (~200 lock files + setup_action_paths.go)
• OpenCode engine integration — a brand-new engine (opencode_engine.go +303 lines, opencode_mcp.go +71 lines, opencode_engine_test.go +369 lines, docs/guides/opencode.md, convert_gateway_config_opencode.sh) — also called out in .changeset/patch-add-opencode-engine.md under its own changelog entry
• Concurrency, expression extraction & schedule preprocessing improvements — concurrency.go (+51 lines), expression_extraction.go (+33 lines), schedule_preprocessing_test.go (+183 lines), and others

These three concerns should live in separate, reviewable PRs. As written, a reviewer can't confidently approve the GH_AW_HOME change without also auditing the OpenCode engine implementation, which is a significant new surface area.

2. Changeset description mismatch

.changeset/patch-add-opencode-engine.md reads "Add the OpenCode engine integration with its MCP/Gateway support and dynamic allowlists." — which doesn't match the PR title or description at all. This changeset should be in its own PR.

3. Process note

CONTRIBUTING.md states that PRs are created and managed by the core team using coding agents. If you're contributing as a community member, the expected path is to open a detailed issue with an agentic plan so a core team member can implement it. If you are on the core team, disregard this note.

---

🛠️ Suggested next steps

If you'd like a hand breaking this up, you can assign this prompt to your coding agent:

Split PR #19744 (github/gh-aw) into three focused pull requests:

1. **GH_AW_HOME portability** — include only:
   - All `.lock.yml` file changes that replace hardcoded `/opt/gh-aw/` with `\$\{GH_AW_HOME}` or `process.env.GH_AW_HOME`
   - `actions/setup/setup.sh` changes for auto-detecting writable path
   - `pkg/workflow/setup_action_paths.go` changes
   - A correctly-titled changeset entry (e.g. `.changeset/patch-gh-aw-home.md`)
   - PR description should focus on: why self-hosted runners can't write to /opt, the fallback logic to $RUNNER_TEMP/gh-aw, and the security note about agent container mounts

2. **OpenCode engine integration** — include only:
   - `pkg/workflow/opencode_engine.go`
   - `pkg/workflow/opencode_mcp.go`
   - `pkg/workflow/opencode_engine_test.go`
   - `actions/setup/sh/convert_gateway_config_opencode.sh`
   - `.github/workflows/smoke-opencode.md`
   - `docs/src/content/docs/guides/opencode.md`
   - `.changeset/patch-add-opencode-engine.md`
   - PR description should explain the new engine, its MCP/Gateway config, and dynamic allowlist behavior

3. **Compiler improvements** — include only:
   - `pkg/workflow/concurrency.go` + `concurrency_test.go`
   - `pkg/workflow/expression_extraction.go` + `expression_extraction_test.go`
   - `pkg/workflow/schedule_preprocessing_test.go`
   - Other unrelated compiler/safe-outputs fixes
   - A descriptive changeset entry

For each PR: run `make agent-finish` to validate (build, test, recompile, lint), ensure the title matches the actual changeset description, and confirm the smoke test passes before marking ready for review.

Generated by Contribution Check · ◷

[pelikhan]

Restarting fresh from #20143