Skip to content

fix: apply SHA pinning to on.steps in pre-activation job#22529

Merged
pelikhan merged 4 commits intomainfrom
copilot/pin-unpinned-actions-to-shas
Mar 23, 2026
Merged

fix: apply SHA pinning to on.steps in pre-activation job#22529
pelikhan merged 4 commits intomainfrom
copilot/pin-unpinned-actions-to-shas

Conversation

Copy link
Contributor

Copilot AI commented Mar 23, 2026
edited
Loading

on.steps (custom steps injected into the pre-activation job) bypassed the SHA-pinning pipeline already applied to main steps: and post-steps:, causing uses: actions/github-script@v8 to pass through verbatim into lock files — a supply chain risk.

Changes

  • pkg/workflow/compiler_orchestrator_workflow.go: After extractOnSteps(), run the extracted steps through SliceToStepsApplyActionPinsToTypedSteps → convert back to []map[string]any, matching the pinning logic already applied to other step types.
  • daily-cli-performance.lock.yml / issue-monster.lock.yml: Recompiled — all actions/github-script@v8 references are now actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.
// Before (on.steps skipped pinning):
workflowData.OnSteps = onSteps

// After (pins applied before storing):
if len(onSteps) > 0 {
    anySteps := make([]any, len(onSteps))
    for i, s := range onSteps {
        anySteps[i] = s
    }
    if typedSteps, err := SliceToSteps(anySteps); err == nil {
        typedSteps = ApplyActionPinsToTypedSteps(typedSteps, workflowData)
        for i, s := range typedSteps {
            onSteps[i] = s.ToMap()
        }
    }
}
workflowData.OnSteps = onSteps

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/access_log.go /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/actionlint.go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw n_sha_checker.go--norc n_sha_checker_in--noprofile n_sha_checker_test.go n_sh�� ation_checkout_test.go ation_github_token_test.go ache/uv/0.10.12/x86_64/git ame (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -stringintconv -tests /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/infocmp g_.a GO111MODULE x_amd64/vet infocmp (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 6032486/b439/styles.test 6032486/b412/_testmain.go 0/x64/bin/node -errorsas -ifaceassert -nilfunc 0/x64/bin/node -o ons-test338640591 -importcfg 6032486/b439/_pkg_.a l -w -buildmode=exe git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha ortcfg GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1576152/b185/_pkg_.a GO111MODULE .cfg GOINSECURE fips140/hkdf GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linurev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git -frontmatter.md GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git 64/src/runtime/igit .cfg 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git 1576152/b187/impgit -trimpath ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linu^remote\..*\.gh-resolved$ n-dir/node /tmp/go-build193git -trimpath 6032486/b178/vet--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha rhysd/actionlint:latest x_amd64/asm /usr/bin/git -json GO111MODULE x_amd64/vet git add -aw/git/ref/tags/v1.0.0 x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build3366032486/b444/_pkg_.a -trimpath /opt/hostedtoolcache/node/24.14.0/x64/bin/node -p github.com/githurev-parse -lang=go1.25 node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/ace-editor.md -goversion /usr/bin/git -c=4 -nolocalimports -importcfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git ger.test Y97L/-8WBz1qIccqrev-parse ortcfg.link git rev-�� --show-toplevel kmIpjEVxgPIJbBLrkR/yyjxJESSHc308remote.origin.url /usr/bin/git 1576152/b190/impgit -trimpath g_.a git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript75769313/001/test-frontmatter-with-nested-objects.md x_amd64/compile /usr/lib/git-core/git -json GO111MODULE x_amd64/vet /usr/lib/git-core/git main�� nt/action/git/ref/tags/v999.999.999 --auto /usr/bin/git --detach GO111MODULE x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build3366032486/b036/vet.cfg .cfg -goversion go1.25.0 -c=4 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� ithub-script/git/ref/tags/v8 /tmp/go-build3366032486/b218/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet "prettier" --chegit sh 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility it} --local r: $owner, name: $name) { hasDiscussionsEnabled } } http.https://git/usr/bin/gh (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -unreachable=false /tmp/go-build3366032486/b088/vet.cfg .cfg go1.25.0 -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3366032486/b239/vet.cfg ache/node/24.14.0/x64/bin/node --check scripts/**/*.js 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 2938-32174/test-521581006 /tmp/go-build3366032486/b091/vet.cfg 6032486/b357/vet.cfg l -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� k/gh-aw/gh-aw/.github/workflows /tmp/go-build3366032486/b236/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet --check scripts/**/*.js 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 PZlisUvcs x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env ortcfg .cfg x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 7t-OTOrXu x_amd64/compile GOINSECURE 64 GOMODCACHE x_amd64/compile env yu_ooOwge GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 f3WNIxf6L 64/pkg/tool/linu-nolocalimports GOINSECURE (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 u_A0sPy4f 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env YFesNwKSb .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE %H %ct %D GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 fJrNJ1ZO5 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ortcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 787952bd370ff815rev-parse GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 Y1Y9_oHNk x_amd64/link GOINSECURE on GOMODCACHE x_amd64/link env 6qlpCmiG- .cfg 64/pkg/tool/linux_amd64/vet wc -c < gh-aw.wagit %H %ct %D 787952bd370ff815--git-dir ef/N6GE9dzJuLpfUe9tz4e_/ThKvzodBlPIPkS6j74YO (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 TAWkEgFot 64/pkg/tool/linux_amd64/vet GOINSECURE age GOMODCACHE 64/pkg/tool/linux_amd64/vet env _jk-OnU_6 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD abis 64/pkg/tool/linu.github/workflows/test.md env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE th_wasm.o 64/src/math/big/--show-toplevel 64/pkg/tool/linux_amd64/vet env 1576152/b101/_pkg_.a .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/tty GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD s/js_js.s x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json ase64.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha GPG0zkgXx .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet ortc�� ithout_min-integrity3799398464/001 om/google/jsonschema-go@v0.4.2/jsonschema/annotations.go 64/pkg/tool/linux_amd64/vet GOINSECURE l GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 997719660/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 1576152/b015/ GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3366032486/b400/cli.test /tmp/go-build3366032486/b400/cli.test -test.testlogfile=/tmp/go-build3366032486/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI linked an issue Mar 23, 2026 that may be closed by this pull request
[plan] Pin unpinned-uses actions to SHAs in daily-cli-performance and issue-monster workflows #22250
Closed
5 tasks
@pelikhan
fix: pin unpinned on.steps action references to SHAs in compiler
edb6522 
The compiler was already applying SHA pinning to custom steps: (main
job) and post-steps:, but not to on.steps (pre-activation job steps).
This caused uses: actions/github-script@v8 in on.steps to pass through
unmodified into lock files.

Apply ApplyActionPinsToTypedSteps to on.steps after extraction in
processOnSectionAndFilters, then recompile all workflows so that
daily-cli-performance.lock.yml and issue-monster.lock.yml now use the
full SHA (ed597411d8f924073f98dfc5c65a23a2325f34cd) for all
actions/github-script references.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/07ec125b-1718-4f36-bc9b-df9c1ff21521
Copilot AI changed the title [WIP] Pin unpinned uses actions to SHAs in workflows fix: apply SHA pinning to on.steps in pre-activation job Mar 23, 2026
Copilot AI requested a review from pelikhan March 23, 2026 21:37
@pelikhan pelikhan marked this pull request as ready for review March 23, 2026 22:10
Copilot AI review requested due to automatic review settings March 23, 2026 22:10
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a supply-chain gap where custom on.steps injected into the pre-activation job were not being SHA-pinned, allowing uses: ...@v* references to pass through into generated lock workflows.

Changes:

  • Apply the existing action SHA-pinning pipeline (SliceToStepsApplyActionPinsToTypedSteps → back to maps) to extracted on.steps.
  • Recompile lock workflows so actions/github-script@v8 is emitted as a pinned SHA reference.
  • Add/retain logging when on.steps cannot be converted to typed steps for pinning.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
pkg/workflow/compiler_orchestrator_workflow.go Applies SHA pinning to on.steps before persisting into WorkflowData.
.github/workflows/issue-monster.lock.yml Updates actions/github-script@v8 to a pinned SHA in the generated lock workflow.
.github/workflows/daily-cli-performance.lock.yml Updates actions/github-script@v8 to a pinned SHA in the generated lock workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pkg/workflow/compiler_orchestrator_workflow.go
Comment on lines +869 to +873
// Apply action pinning to on.steps
if len(onSteps) > 0 {
anySteps := make([]any, len(onSteps))
for i, s := range onSteps {
anySteps[i] = s
Copy link

Copilot AI Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New behavior (SHA-pinning for on.steps) isn’t covered by an automated test. There are tests for on.steps injection (e.g., pkg/workflow/on_steps_test.go), but none assert that uses: entries inside on.steps are rewritten to pinned SHAs in the generated lock YAML. Please add/extend a test to compile a workflow containing on.steps with a uses: actions/...@v* step and assert the lock output contains the pinned SHA form (including the # v* comment).

Copilot uses AI. Check for mistakes.
@pelikhan pelikhan merged commit 4474a9d into main Mar 23, 2026
53 checks passed
@pelikhan pelikhan deleted the copilot/pin-unpinned-actions-to-shas branch March 23, 2026 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Pin unpinned-uses actions to SHAs in daily-cli-performance and issue-monster workflows

3 participants

@pelikhan