From c3cc6cf14b77c351787952bd370ff815719655e4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Mar 2026 21:12:22 +0000
Subject: [PATCH 1/2] Initial plan


From edb6522860bf6cd6db8e9a565d258e676e42316a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Mar 2026 21:36:10 +0000
Subject: [PATCH 2/2] fix: pin unpinned on.steps action references to SHAs in
 compiler

The compiler was already applying SHA pinning to custom steps: (main
job) and post-steps:, but not to on.steps (pre-activation job steps).
This caused uses: actions/github-script@v8 in on.steps to pass through
unmodified into lock files.

Apply ApplyActionPinsToTypedSteps to on.steps after extraction in
processOnSectionAndFilters, then recompile all workflows so that
daily-cli-performance.lock.yml and issue-monster.lock.yml now use the
full SHA (ed597411d8f924073f98dfc5c65a23a2325f34cd) for all
actions/github-script references.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/07ec125b-1718-4f36-bc9b-df9c1ff21521
---
 .../workflows/daily-cli-performance.lock.yml   |  2 +-
 .github/workflows/issue-monster.lock.yml       |  2 +-
 pkg/workflow/compiler_orchestrator_workflow.go | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml
index 96db6432ff3..0c0948eb43d 100644
--- a/.github/workflows/daily-cli-performance.lock.yml
+++ b/.github/workflows/daily-cli-performance.lock.yml
@@ -1251,7 +1251,7 @@ jobs:
             await main();
       - name: Detect recent compilation-related changes
         id: changes
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const { owner, repo } = context.repo;
diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml
index 27158fb3346..6b5ffacd7e1 100644
--- a/.github/workflows/issue-monster.lock.yml
+++ b/.github/workflows/issue-monster.lock.yml
@@ -1416,7 +1416,7 @@ jobs:
             await main();
       - name: Search for candidate issues
         id: search
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const { owner, repo } = context.repo;
diff --git a/pkg/workflow/compiler_orchestrator_workflow.go b/pkg/workflow/compiler_orchestrator_workflow.go
index 58cec6aab9b..a03b25bee36 100644
--- a/pkg/workflow/compiler_orchestrator_workflow.go
+++ b/pkg/workflow/compiler_orchestrator_workflow.go
@@ -865,6 +865,24 @@ func (c *Compiler) processOnSectionAndFilters(
 	if err != nil {
 		return err
 	}
+
+	// Apply action pinning to on.steps
+	if len(onSteps) > 0 {
+		anySteps := make([]any, len(onSteps))
+		for i, s := range onSteps {
+			anySteps[i] = s
+		}
+		typedSteps, convErr := SliceToSteps(anySteps)
+		if convErr == nil {
+			typedSteps = ApplyActionPinsToTypedSteps(typedSteps, workflowData)
+			for i, s := range typedSteps {
+				onSteps[i] = s.ToMap()
+			}
+		} else {
+			orchestratorWorkflowLog.Printf("Failed to convert on.steps to typed steps for action pinning: %v", convErr)
+		}
+	}
+
 	workflowData.OnSteps = onSteps
 
 	// Extract on.permissions for pre-activation job permissions