Fix Copilot CLI --secret-env-vars to expose the real env var names

The workflow exports the secret to the step env as COPILOT_GITHUB_TOKEN
(line 97) and GH_TOKEN (line 100), but `--secret-env-vars` was set to
`COPILOT_CLI_PAT` — which is the *secret* name, not the env var name.
As a result, neither token was forwarded to the Copilot CLI sub-shells.

Observed effect on PR #1568:
- The agent could not call `gh api .../dependabot/alerts` (rule 1 of
  the prompt), so it fell back to `npm audit` as the source of truth.
- The PR body explicitly says: "COPILOT_GITHUB_TOKEN was not available
  in this environment, so npm audit was used as the vulnerability
  source of truth".

Fix: pass the actual env var names (`COPILOT_GITHUB_TOKEN,GH_TOKEN`) to
`--secret-env-vars` so they are exposed to tool invocations and
redacted from logs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: priyanshu92

.github/workflows/dependabot-autofix.yml

@@ -227,7 +227,7 @@ jobs:
             -s \
             --no-ask-user \
             --allow-tool 'shell(npm:*), shell(npx:*), shell(gh:*), shell(git:*), shell(node:*), write, read' \
-            --secret-env-vars 'COPILOT_CLI_PAT' \
+            --secret-env-vars 'COPILOT_GITHUB_TOKEN,GH_TOKEN' \
             --share ./copilot-session.md \
             | tee copilot-output.txt