Summary
The agentics-maintenance.yml workflow compiled by gh-aw v0.64.0 references github/gh-aw-actions/setup-cli using the mutable tag @v0.64.0 rather than a pinned full commit SHA. Every other action in this repo (and in copilot-setup-steps.yml) is pinned to a commit SHA for supply-chain integrity and reproducibility. This inconsistency weakens the security posture of the workflow.
What failed
uses: github/gh-aw-actions/setup-cli@v0.64.0 — mutable tag, not a SHA pin.- All other action references in the same repository use SHA-pinned references.
Why it failed
- The compiler's action pinning logic (via
GetActionPin() and .github/aw/actions-lock.json) did not resolve and emit the commit SHA for setup-cli in the context of the maintenance workflow generation.
Root cause
- Gap in the action pinning/lock resolution logic in the compiler when generating maintenance workflow references to
setup-cli.
- The correct SHA is known (
51c65948c64ab6752536ead71fba1fc2c20ed0bc) and is used elsewhere; it simply wasn't applied here.
Supporting evidence / References
- PR Review Copilot observation 11
- Compiler pinning code:
GetActionPin() and .github/aw/actions-lock.json
- Example of correct SHA pinning in
copilot-setup-steps.yml in same repo
Proposed fix
- Ensure
GetActionPin() (or equivalent) correctly resolves and emits the SHA for setup-cli in all compiler code paths, including maintenance workflow generation.
- The suggestion from review:
uses: github/gh-aw-actions/setup-cli@51c65948c64ab6752536ead71fba1fc2c20ed0bc # v0.64.0
- Add a compiler test asserting that all emitted action references are SHA-pinned (no bare tags).
Implementation plan
- Audit compiler workflow generators for any
setup-cli or other action references that bypass the GetActionPin() / actions-lock.json resolution path.
- Fix the identified code path to use the SHA from the lock.
- Add a test asserting no mutable tag references in any compiled
.lock.yml output.
Summary
The
agentics-maintenance.ymlworkflow compiled by gh-aw v0.64.0 referencesgithub/gh-aw-actions/setup-cliusing the mutable tag@v0.64.0rather than a pinned full commit SHA. Every other action in this repo (and incopilot-setup-steps.yml) is pinned to a commit SHA for supply-chain integrity and reproducibility. This inconsistency weakens the security posture of the workflow.What failed
uses: github/gh-aw-actions/setup-cli@v0.64.0— mutable tag, not a SHA pin.Why it failed
GetActionPin()and.github/aw/actions-lock.json) did not resolve and emit the commit SHA forsetup-cliin the context of the maintenance workflow generation.Root cause
setup-cli.51c65948c64ab6752536ead71fba1fc2c20ed0bc) and is used elsewhere; it simply wasn't applied here.Supporting evidence / References
GetActionPin()and.github/aw/actions-lock.jsoncopilot-setup-steps.ymlin same repoProposed fix
GetActionPin()(or equivalent) correctly resolves and emits the SHA forsetup-cliin all compiler code paths, including maintenance workflow generation.uses: github/gh-aw-actions/setup-cli@51c65948c64ab6752536ead71fba1fc2c20ed0bc # v0.64.0Implementation plan
setup-clior other action references that bypass theGetActionPin()/actions-lock.jsonresolution path..lock.ymloutput.