fix: SHA-pin actions/setup in agentics-maintenance.yml generation

[Copilot]

• Fix maintenance_workflow.go to enable SHA pinning for github/gh-aw/actions/setup in the generated agentics-maintenance.yml
• Introduce ActionSHAResolver interface with ResolveSHA(repo, version string) (string, error) in action_resolver.go
• Change ResolveSetupActionReference to accept ActionSHAResolver instead of *ActionResolver — calls ResolveSHA directly, no WorkflowData created anywhere
• Update call sites in action_reference.go and maintenance_workflow.go to use the interface type (with nil-safety for the concrete-pointer-to-interface pitfall)
• Update tests in action_reference_test.go
• Validated with make fmt lint and targeted unit tests

Original prompt

---

This section details on the original issue you should resolve

<issue_title>gh aw compile consistent actions/setup sha generation</issue_title>
<issue_description>gh aw compile emits .github/workflows/agentics-maintenance.yml without pinned sha for actions/setup, instead generates uses: github/gh-aw/actions/setup@v0.50.3. This differs from the other emitted actions/setup references which are emitted as

uses: github/gh-aw/actions/setup@b70143d20a8292a3180986fa71533fdb8acb79e3 # v0.50.3
```</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
<comment_new><author>@pelikhan</author><body>
@copilot add action pin sha resolution to agentic maintenance generation.</body></comment_new>
</comments>

• Fixes gh aw compile consistent actions/setup sha generation #18373

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

👋 Great work on this bug fix, @Copilot! The SHA-pinning inconsistency in agentics-maintenance.yml generation was a real gap — having GenerateMaintenanceWorkflow produce tag-only references while every other emitted setup reference used SHA # tag format was confusing and undermined the security guarantees of action pinning.

The fix is clean: borrowing the shared ActionResolver from workflowDataList[0] (with a proper nil-guard fallback) is minimal and correct, the new test case in maintenance_workflow_test.go validates the SHA-pinned output end-to-end, and the PR description clearly explains the root cause and the before/after. This looks ready for maintainer review! 🚀

Generated by Contribution Check

[pelikhan]

@copilot review code update and see if it is possible to refactor without having to create a mini workflow data.

[Copilot]

@copilot review code update and see if it is possible to refactor without having to create a mini workflow data.

Refactored in b29c1b5. ResolveSetupActionReference now accepts *ActionResolver directly instead of *WorkflowData. The mini WorkflowData is created inside the function only when needed for SHA resolution, keeping call sites clean:

// maintenance_workflow.go — no WorkflowData creation at call site
var resolver *ActionResolver
if len(workflowDataList) > 0 {
    resolver = workflowDataList[0].ActionResolver
}
setupActionRef := ResolveSetupActionReference(actionMode, version, actionTag, resolver)

// action_reference.go — compiler passes data.ActionResolver
return ResolveSetupActionReference(c.actionMode, c.version, c.actionTag, resolver)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot create dedicated go interface for this type

[Copilot]

Done in fd90936. Introduced ActionSHAResolver interface in action_resolver.go:

// ActionSHAResolver is the minimal interface for resolving an action tag to its commit SHA.
type ActionSHAResolver interface {
    ResolveSHA(repo, version string) (string, error)
}

ResolveSetupActionReference now accepts ActionSHAResolver and calls ResolveSHA directly — no WorkflowData is created anywhere in this path. *ActionResolver satisfies the interface without any changes.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Fixes missing SHA pinning for github/gh-aw/actions/setup in the generated agentics-maintenance.yml, aligning maintenance workflow generation with other action pinning behavior.

Changes:

• Introduces ActionSHAResolver interface and updates ResolveSetupActionReference to use it for SHA resolution.
• Updates maintenance workflow generation to pass an action SHA resolver so actions/setup can be emitted as a SHA-pinned uses: reference.
• Refreshes action pin/lock data (including anchore/sbom-action@v0) and updates related tests.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/workflow/maintenance_workflow.go	Passes an action SHA resolver into setup action reference resolution during maintenance workflow generation.
pkg/workflow/maintenance_workflow_test.go	Adds coverage asserting SHA-pinned setup action ref in release mode when a resolver/cache is available.
pkg/workflow/action_resolver.go	Adds the ActionSHAResolver interface used by reference resolution code.
pkg/workflow/action_reference.go	Refactors setup action reference resolution to accept an interface and call ResolveSHA directly.
pkg/workflow/action_reference_test.go	Updates tests to use resolver interface rather than WorkflowData.
pkg/workflow/data/action_pins.json	Adds a pin entry for anchore/sbom-action@v0.
.github/aw/actions-lock.json	Syncs lock data with the new anchore/sbom-action@v0 pin.
.github/workflows/release.lock.yml	Updates anchore/sbom-action pinned SHA used by the release workflow.
.devcontainer/devcontainer.json	Reorders devcontainer feature entries (no functional change).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The docstring examples use “# ”, but this function passes the selected tag (actionTag override or version) to formatActionReference, so the comment will be “# ” (not necessarily the compiler version). Updating the comment/examples would avoid misleading callers when actionTag differs from version.

Suggested change

	// - For release mode with resolver: "github/gh-aw/actions/setup@<sha> # <version>" (SHA-pinned)
	// - For release mode without resolver: "github/gh-aw/actions/setup@<version>" (tag-based, SHA resolved later)
	// - Falls back to local path if version is invalid in release mode
	// - For release mode with resolver: "github/gh-aw/actions/setup@<sha> # <tag>" (SHA-pinned, where <tag> is actionTag or version)
	// - For release mode without resolver: "github/gh-aw/actions/setup@<tag>" (tag-based, SHA resolved later)
	// - Falls back to local path if tag is invalid (empty or "dev") in release mode

[Copilot]

The comment says this uses the “first available WorkflowData's ActionResolver”, but the code only checks workflowDataList[0] (and doesn’t guard against workflowDataList[0] being nil). This can miss a resolver provided by later entries or panic if the slice contains a nil element. Consider iterating until you find the first non-nil WorkflowData with a non-nil ActionResolver (or explicitly document that index 0 is required).

Suggested change

	if len(workflowDataList) > 0 && workflowDataList[0].ActionResolver != nil {
	resolver = workflowDataList[0].ActionResolver
	for _, wfData := range workflowDataList {
	if wfData != nil && wfData.ActionResolver != nil {
	resolver = wfData.ActionResolver
	break
	}