bump microsoft/apm-action to v1.4.1, add DefaultAPMActionVersion constant, rebuild wasm, recompile

[Copilot]

microsoft/apm-action@v1.4.0 had a bug where it shadowed a caller-provided GITHUB_TOKEN with GITHUB_APM_PAT (defaulting to github.token), breaking cross-org private repo installs. v1.4.1 fixes this.

Changes

• microsoft/apm-action v1.4.0 → v1.4.1 (cc84c04 → a190b0b) in .github/aw/actions-lock.json and synced to pkg/workflow/data/action_pins.json
• DefaultAPMActionVersion = "v1.4.1" added to pkg/constants/constants.go to explicitly track the microsoft/apm-action GitHub Action version
• apm_dependencies.go updated to use GetActionPinWithData with DefaultAPMActionVersion (consistent with the DefaultGitHubScriptVersion pattern used elsewhere)
• smoke-claude.lock.yml recompiled — the only workflow using APM dependencies
• Wasm binary rebuilt against updated action pins

[!WARNING]

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

---

---

✨ PR Review Safe Output Test - Run 23614910060

💥 [THE END] — Illustrated by Smoke Claude · ◷

---

Changeset

• Type: patch
• Description: Updated microsoft/apm-action to v1.4.1 and added DefaultAPMActionVersion-based pin resolution for APM dependencies to fix token handling for cross-org private repository installs.

Generated by Changeset Generator for issue #23150 · ◷

[pelikhan]

@copilot recompile all workflows

[Copilot]

@copilot recompile all workflows

All 178 workflows are already recompiled — make recompile was run as part of the original commit and produces no further diffs. Only smoke-claude.lock.yml changed since it's the only workflow that references microsoft/apm-action.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0 --jq .object.sha (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot update the apm versions in constants.go

[Copilot]

@copilot update the apm versions in constants.go

Added DefaultAPMActionVersion = "v1.4.1" to pkg/constants/constants.go and updated apm_dependencies.go to use it via GetActionPinWithData (consistent with the DefaultGitHubScriptVersion pattern). Commit: d8ae8fd

[Copilot]

Pull request overview

Updates the pinned microsoft/apm-action version to pick up a bugfix around token handling, and threads an explicit default action version constant through APM workflow generation so lockfiles and pins stay in sync.

Changes:

• Bumped microsoft/apm-action pin from v1.4.0 to v1.4.1 (SHA update) in action pin/lock data.
• Added DefaultAPMActionVersion = "v1.4.1" and used it when generating the APM pack step via GetActionPinWithData.
• Recompiled the locked smoke workflow to reference the new pinned SHA.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/workflow/data/action_pins.json	Updates the stored pin for microsoft/apm-action to v1.4.1 / new SHA.
pkg/workflow/apm_dependencies.go	Resolves microsoft/apm-action pin using GetActionPinWithData and the new default version constant.
pkg/constants/constants.go	Introduces DefaultAPMActionVersion to centrally track the default action version.
.github/workflows/smoke-claude.lock.yml	Updates the workflow lock to use the new microsoft/apm-action SHA/comment.
.github/aw/actions-lock.json	Updates the action lock entry for microsoft/apm-action to v1.4.1 / new SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

GetActionPinWithData can return an empty actionRef with err == nil when it can’t pin the requested version (e.g., strict mode with no exact match, or repo not present in pins). This code only falls back on err != nil, so you can end up emitting uses: (empty) which produces invalid workflow YAML. Handle actionRef == "" as a failure case too, and fall back to a safe reference (e.g., repo@DefaultAPMActionVersion or GetActionPin(...)) while still logging the warning.

Suggested change

	if err != nil {
	if err != nil || actionRef == "" {

[Copilot]

The entries object in this file is otherwise kept in lexicographic order by key (e.g., haskell-actions/... then oven-sh/...). The newly added microsoft/apm-action@v1.4.1 entry is appended after super-linter/..., which breaks the established ordering and makes future diffs noisier. Move this entry to its sorted position.

[Copilot]

The entries object appears to be maintained in lexicographic order by key throughout the file, but the new microsoft/apm-action@v1.4.1 entry is appended after super-linter/.... Reinsert it at the appropriate sorted location to keep the lockfile deterministic and reduce diff noise.

[github-actions]

❌ Tool validation failed! Agent Container Smoke Test detected missing tools: failed

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

💥 Smoke test 23614910060 results:

1 ✅ GitHub MCP | 2 ✅ GH CLI | 3 ✅ Serena (3 symbols) | 4 ✅ Make build | 5 ✅ Playwright
6 ✅ Tavily search | 7 ✅ File write | 8 ✅ Bash | 9 ✅ Discussion | 10 ✅ AW MCP | 11 ✅ Slack
12 ✅ Update PR | 13 ✅ Review comments | 14 ✅ Submit review | 15 ✅ Resolve thread
16 ✅ Add reviewer | 17 ✅ Push branch | 18 ⚠️ Close PR (skipped — no safe PR)

Overall: PARTIAL (17 pass, 1 skipped)

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions]

💥 Automated smoke test review - all systems nominal! Reviewed the APM action bump from v1.4.0 to v1.4.1 with the new DefaultAPMActionVersion constant. The changes look clean and consistent with existing patterns.

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

The constant DefaultAPMActionVersion follows the same pattern as DefaultGitHubScriptVersion. Consider adding a brief comment linking to the upstream release notes or changelog so future reviewers can quickly verify what changed between versions.

[github-actions]

Commit pushed: ab0b8eb

Generated by Changeset Generator

[github-actions]

Smoke Test: Codex 23614909967

• Merged PRs: fix: fetch remote branch before pushing CI trigger empty commit to avoid non-fast-forward rejection #23152 fix: fetch remote branch before pushing CI trigger empty commit to avoid non-fast-forward rejection; Fall back to original base commit when git am --3way fails due to merge conflicts #23132 Fall back to original base commit when git am --3way fails due to merge conflicts
• GitHub MCP: ✅
• Serena MCP (activate + symbols): ✅
• Playwright title check: ✅
• Web-fetch check: ✅
• File write + bash verify + build: ✅
• Overall: PASS

🔮 The oracle has spoken through Smoke Codex · ◷