fix(changeset): restrict safe-outputs allowed-files to .changeset/*.md

[Copilot]

The Changeset Generator workflow's push-to-pull-request-branch safe-outputs config used .changeset/**, which permits any file type in that directory. This allows the agent to inadvertently commit non-changeset artifacts (log files, etc.) alongside the intended markdown files.

Change

• Tightened allowed-files from .changeset/** → .changeset/*.md, restricting the patch validator to only accept markdown changeset files

safe-outputs:
  push-to-pull-request-branch:
    allowed-files:
      - .changeset/*.md   # was: .changeset/**

Recompiled changeset.lock.yml to reflect the updated configuration.

[Copilot]

Pull request overview

This PR tightens the Changeset Generator workflow’s safe-outputs configuration to prevent the agent from committing unintended non-changeset artifacts under .changeset/, limiting allowed patches to markdown changeset files only.

Changes:

• Restrict push-to-pull-request-branch.allowed-files from .changeset/** to .changeset/*.md in the workflow frontmatter.
• Regenerate changeset.lock.yml so the compiled safe-outputs config matches the updated restriction.

Show a summary per file

File	Description
.github/workflows/changeset.md	Narrows safe-outputs allowed-files to only permit .changeset/*.md changeset files.
.github/workflows/changeset.lock.yml	Recompiled lockfile reflecting the updated safe-outputs allowed-files glob in generated config.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0
• Review effort level: Low