Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates activation-job checkout generation to no longer depend on the workflow’s explicit contents: read permission, adds a regression test for that behavior, and refreshes pinned GitHub Action SHAs/versions.
Changes:
- Remove the activation-job
.github/.agentscheckout gating based on workflow permissions. - Add a unit test asserting activation jobs still include the sparse checkout even when
permissions.contentsis not explicitly set. - Update
action_pins.jsonto newer pinned action versions/SHAs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| pkg/workflow/compiler_activation_jobs.go | Removes workflow-permissions check and documents why activation always has contents: read. |
| pkg/workflow/runtime_import_checkout_test.go | Adds coverage to ensure activation job sparse checkout is present without explicit contents: read. |
| pkg/workflow/data/action_pins.json | Updates pinned action versions/SHAs; currently drops older pins relied upon by existing tests and introduces at least one key/version mismatch. |
Comments suppressed due to low confidence (1)
pkg/workflow/data/action_pins.json:47
- This update removes the
actions/github-scriptv7 pin. Tests currently rely on an exact-match major pin for v7 (seepkg/workflow/action_pins_logging_test.gocase "github-script v7 resolves to v7 pin (exact match)"). If v7 is intentionally no longer supported/pinned, those tests (and any defaults that request v7) should be updated in the same PR; otherwise, keep a v7 pin alongside v8 to preserve backwards compatibility for workflows using@v7.
"actions/github-script@v8": {
"repo": "actions/github-script",
"version": "v8",
"sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
},
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "erlef/setup-beam@v1": { | ||
| "repo": "erlef/setup-beam", | ||
| "version": "v1.20.4", |
There was a problem hiding this comment.
Key/version mismatch: this entry is keyed as erlef/setup-beam@v1 but the version field is v1.20.4. getActionPins() warns on these mismatches and it diverges from the documented entries schema (key is repo@version). Consider updating the key to ...@v1.20.4 or changing version back to v1.
| "version": "v1.20.4", | |
| "version": "v1", |
| "actions/checkout@v6.0.2": { | ||
| "repo": "actions/checkout", | ||
| "version": "v6.0.2", | ||
| "sha": "de0fac2e4500dabe0009e67214ff5f5447ce83dd" | ||
| }, |
There was a problem hiding this comment.
The new pins drop previously-pinned actions/checkout versions (e.g. v5 / v5.0.1). Existing unit tests assert those pins exist and will fail (see pkg/workflow/action_pins_test.go expected actions/checkout@... # v5 and # v5.0.1, and pkg/workflow/action_pins_logging_test.go strict-mode test for v5.0.1). Either restore the removed checkout pins or update the affected tests/defaults in the same PR so the pinning behavior stays consistent.
This issue also appears on line 43 of the same file.
Summary
contents: readpermission check in activation job checkout, since the activation job always has this permission added automatically.githuband.agentsfolders are checked out in activation jobs even without explicitcontents: readin workflow permissionsaction_pins.jsonwith latest pinned versions for several GitHub Actions