Skip to content

fix: SHA-pin actions/setup in agentics-maintenance.yml generation#18378

Open
Copilot wants to merge 8 commits intomainfrom
copilot/add-action-pin-sha-resolution
Open

fix: SHA-pin actions/setup in agentics-maintenance.yml generation#18378
Copilot wants to merge 8 commits intomainfrom
copilot/add-action-pin-sha-resolution

Conversation

Copy link
Contributor

Copilot AI commented Feb 25, 2026

  • Fix maintenance_workflow.go to enable SHA pinning for github/gh-aw/actions/setup in the generated agentics-maintenance.yml
  • Introduce ActionSHAResolver interface with ResolveSHA(repo, version string) (string, error) in action_resolver.go
  • Change ResolveSetupActionReference to accept ActionSHAResolver instead of *ActionResolver — calls ResolveSHA directly, no WorkflowData created anywhere
  • Update call sites in action_reference.go and maintenance_workflow.go to use the interface type (with nil-safety for the concrete-pointer-to-interface pitfall)
  • Update tests in action_reference_test.go
  • Validated with make fmt lint and targeted unit tests
Original prompt

This section details on the original issue you should resolve

<issue_title>gh aw compile consistent actions/setup sha generation</issue_title>
<issue_description>gh aw compile emits .github/workflows/agentics-maintenance.yml without pinned sha for actions/setup, instead generates uses: github/gh-aw/actions/setup@v0.50.3. This differs from the other emitted actions/setup references which are emitted as

uses: github/gh-aw/actions/setup@b70143d20a8292a3180986fa71533fdb8acb79e3 # v0.50.3
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
<comment_new><author>@pelikhan</author><body>
@copilot add action pin sha resolution to agentic maintenance generation.</body></comment_new>
</comments>


🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI and others added 2 commits February 25, 2026 16:44
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… generation

Pass an ActionResolver from the first available WorkflowData to
ResolveSetupActionReference, enabling consistent SHA-pinned references
(e.g., github/gh-aw/actions/setup@SHA # tag) in the generated
agentics-maintenance.yml instead of tag-only references.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add action pin sha resolution to agentics maintenance fix: SHA-pin actions/setup in agentics-maintenance.yml generation Feb 25, 2026
@github-actions
Copy link
Contributor

👋 Great work on this bug fix, @Copilot! The SHA-pinning inconsistency in agentics-maintenance.yml generation was a real gap — having GenerateMaintenanceWorkflow produce tag-only references while every other emitted setup reference used SHA # tag format was confusing and undermined the security guarantees of action pinning.

The fix is clean: borrowing the shared ActionResolver from workflowDataList[0] (with a proper nil-guard fallback) is minimal and correct, the new test case in maintenance_workflow_test.go validates the SHA-pinned output end-to-end, and the PR description clearly explains the root cause and the before/after. This looks ready for maintainer review! 🚀

Generated by Contribution Check

@pelikhan
Copy link
Contributor

@copilot review code update and see if it is possible to refactor without having to create a mini workflow data.

…etupActionReference

Avoid creating a mini WorkflowData at call sites. The function now takes
an *ActionResolver directly and creates the minimal WorkflowData internally
only when SHA resolution is needed.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 25, 2026

@copilot review code update and see if it is possible to refactor without having to create a mini workflow data.

Refactored in b29c1b5. ResolveSetupActionReference now accepts *ActionResolver directly instead of *WorkflowData. The mini WorkflowData is created inside the function only when needed for SHA resolution, keeping call sites clean:

// maintenance_workflow.go — no WorkflowData creation at call site
var resolver *ActionResolver
if len(workflowDataList) > 0 {
    resolver = workflowDataList[0].ActionResolver
}
setupActionRef := ResolveSetupActionReference(actionMode, version, actionTag, resolver)

// action_reference.go — compiler passes data.ActionResolver
return ResolveSetupActionReference(c.actionMode, c.version, c.actionTag, resolver)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

if data != nil {
// If a resolver is available, try to resolve the SHA
if resolver != nil {
data := &WorkflowData{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot create dedicated go interface for this type

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in fd90936. Introduced ActionSHAResolver interface in action_resolver.go:

// ActionSHAResolver is the minimal interface for resolving an action tag to its commit SHA.
type ActionSHAResolver interface {
    ResolveSHA(repo, version string) (string, error)
}

ResolveSetupActionReference now accepts ActionSHAResolver and calls ResolveSHA directly — no WorkflowData is created anywhere in this path. *ActionResolver satisfies the interface without any changes.

…creation from ResolveSetupActionReference

Define ActionSHAResolver interface with ResolveSHA() method. Change
ResolveSetupActionReference to accept the interface instead of *ActionResolver.
Call ResolveSHA directly inside the function — no WorkflowData is created at all.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 26, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan marked this pull request as ready for review February 26, 2026 02:46
Copilot AI review requested due to automatic review settings February 26, 2026 02:46
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes missing SHA pinning for github/gh-aw/actions/setup in the generated agentics-maintenance.yml, aligning maintenance workflow generation with other action pinning behavior.

Changes:

  • Introduces ActionSHAResolver interface and updates ResolveSetupActionReference to use it for SHA resolution.
  • Updates maintenance workflow generation to pass an action SHA resolver so actions/setup can be emitted as a SHA-pinned uses: reference.
  • Refreshes action pin/lock data (including anchore/sbom-action@v0) and updates related tests.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
pkg/workflow/maintenance_workflow.go Passes an action SHA resolver into setup action reference resolution during maintenance workflow generation.
pkg/workflow/maintenance_workflow_test.go Adds coverage asserting SHA-pinned setup action ref in release mode when a resolver/cache is available.
pkg/workflow/action_resolver.go Adds the ActionSHAResolver interface used by reference resolution code.
pkg/workflow/action_reference.go Refactors setup action reference resolution to accept an interface and call ResolveSHA directly.
pkg/workflow/action_reference_test.go Updates tests to use resolver interface rather than WorkflowData.
pkg/workflow/data/action_pins.json Adds a pin entry for anchore/sbom-action@v0.
.github/aw/actions-lock.json Syncs lock data with the new anchore/sbom-action@v0 pin.
.github/workflows/release.lock.yml Updates anchore/sbom-action pinned SHA used by the release workflow.
.devcontainer/devcontainer.json Reorders devcontainer feature entries (no functional change).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +29 to 31
// - For release mode with resolver: "github/gh-aw/actions/setup@<sha> # <version>" (SHA-pinned)
// - For release mode without resolver: "github/gh-aw/actions/setup@<version>" (tag-based, SHA resolved later)
// - Falls back to local path if version is invalid in release mode
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docstring examples use “# ”, but this function passes the selected tag (actionTag override or version) to formatActionReference, so the comment will be “# ” (not necessarily the compiler version). Updating the comment/examples would avoid misleading callers when actionTag differs from version.

Suggested change
// - For release mode with resolver: "github/gh-aw/actions/setup@<sha> # <version>" (SHA-pinned)
// - For release mode without resolver: "github/gh-aw/actions/setup@<version>" (tag-based, SHA resolved later)
// - Falls back to local path if version is invalid in release mode
// - For release mode with resolver: "github/gh-aw/actions/setup@<sha> # <tag>" (SHA-pinned, where <tag> is actionTag or version)
// - For release mode without resolver: "github/gh-aw/actions/setup@<tag>" (tag-based, SHA resolved later)
// - Falls back to local path if tag is invalid (empty or "dev") in release mode

Copilot uses AI. Check for mistakes.
Comment on lines +154 to +155
if len(workflowDataList) > 0 && workflowDataList[0].ActionResolver != nil {
resolver = workflowDataList[0].ActionResolver
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment says this uses the “first available WorkflowData's ActionResolver”, but the code only checks workflowDataList[0] (and doesn’t guard against workflowDataList[0] being nil). This can miss a resolver provided by later entries or panic if the slice contains a nil element. Consider iterating until you find the first non-nil WorkflowData with a non-nil ActionResolver (or explicitly document that index 0 is required).

Suggested change
if len(workflowDataList) > 0 && workflowDataList[0].ActionResolver != nil {
resolver = workflowDataList[0].ActionResolver
for _, wfData := range workflowDataList {
if wfData != nil && wfData.ActionResolver != nil {
resolver = wfData.ActionResolver
break
}

Copilot uses AI. Check for mistakes.
Copilot AI and others added 3 commits February 25, 2026 19:11
* Initial plan

* Initial plan

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* fix: update TestGetActionPinsSorting count from 38 to 39 (actions/setup-go@v6 added)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

gh aw compile consistent actions/setup sha generation

3 participants