diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 96db6432ff3..0c0948eb43d 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1251,7 +1251,7 @@ jobs: await main(); - name: Detect recent compilation-related changes id: changes - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { owner, repo } = context.repo; diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 27158fb3346..6b5ffacd7e1 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1416,7 +1416,7 @@ jobs: await main(); - name: Search for candidate issues id: search - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const { owner, repo } = context.repo; diff --git a/pkg/workflow/compiler_orchestrator_workflow.go b/pkg/workflow/compiler_orchestrator_workflow.go index 58cec6aab9b..a03b25bee36 100644 --- a/pkg/workflow/compiler_orchestrator_workflow.go +++ b/pkg/workflow/compiler_orchestrator_workflow.go @@ -865,6 +865,24 @@ func (c *Compiler) processOnSectionAndFilters( if err != nil { return err } + + // Apply action pinning to on.steps + if len(onSteps) > 0 { + anySteps := make([]any, len(onSteps)) + for i, s := range onSteps { + anySteps[i] = s + } + typedSteps, convErr := SliceToSteps(anySteps) + if convErr == nil { + typedSteps = ApplyActionPinsToTypedSteps(typedSteps, workflowData) + for i, s := range typedSteps { + onSteps[i] = s.ToMap() + } + } else { + orchestratorWorkflowLog.Printf("Failed to convert on.steps to typed steps for action pinning: %v", convErr) + } + } + workflowData.OnSteps = onSteps // Extract on.permissions for pre-activation job permissions