diff --git a/pkg/cli/logs_ci_scenario_test.go b/pkg/cli/logs_ci_scenario_test.go index 66cb3973cac..69d9db19440 100644 --- a/pkg/cli/logs_ci_scenario_test.go +++ b/pkg/cli/logs_ci_scenario_test.go @@ -67,7 +67,8 @@ func TestLogsJSONOutputWithNoRuns(t *testing.T) { // Skip this test if GitHub API is not accessible (e.g., no GH_TOKEN) if strings.Contains(errText, "failed to authenticate: no auth token found") || strings.Contains(errText, "GitHub CLI authentication required. Run 'gh auth login' first") || - strings.Contains(errText, "could not find any workflows named nonexistent-workflow-12345") { + strings.Contains(errText, "could not find any workflows named nonexistent-workflow-12345") || + strings.Contains(errText, "HTTP 403") { t.Skip("Skipping test: GitHub API behavior is not suitable for the no-runs scenario in this environment") } t.Fatalf("DownloadWorkflowLogs returned error: %v", err) diff --git a/pkg/cli/logs_json_stderr_order_test.go b/pkg/cli/logs_json_stderr_order_test.go index 6723544221d..3443ad4cb16 100644 --- a/pkg/cli/logs_json_stderr_order_test.go +++ b/pkg/cli/logs_json_stderr_order_test.go @@ -75,7 +75,8 @@ func TestLogsJSONOutputBeforeStderr(t *testing.T) { // Skip test if GitHub API is not accessible if err != nil { if strings.Contains(err.Error(), "no auth token found") || - strings.Contains(err.Error(), "GitHub CLI authentication required") { + strings.Contains(err.Error(), "GitHub CLI authentication required") || + strings.Contains(err.Error(), "HTTP 403") { t.Skip("Skipping test: GitHub authentication not available") } // For other errors, we still want to verify the output format @@ -201,7 +202,8 @@ func TestLogsJSONAndStderrRedirected(t *testing.T) { // Skip test if GitHub API is not accessible if err != nil { if strings.Contains(err.Error(), "no auth token found") || - strings.Contains(err.Error(), "GitHub CLI authentication required") { + strings.Contains(err.Error(), "GitHub CLI authentication required") || + strings.Contains(err.Error(), "HTTP 403") { t.Skip("Skipping test: GitHub authentication not available") } } diff --git a/pkg/workflow/action_pins_test.go b/pkg/workflow/action_pins_test.go index 9ccd22f98fe..fa533a23f3c 100644 --- a/pkg/workflow/action_pins_test.go +++ b/pkg/workflow/action_pins_test.go @@ -910,8 +910,8 @@ func TestGetActionPinWithData_V7ExactMatch(t *testing.T) { t.Errorf("Expected v7 in result, got: %s", result) } - // Check the SHA matches v7 - expectedSHA := "bbbca2ddaa5d8feaa63e36b76fdaad77386f024f" + // Check the SHA matches v7 (resolves to v7.0.1 pin) + expectedSHA := "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" if !strings.Contains(result, expectedSHA) { t.Errorf("Expected SHA %s in result, got: %s", expectedSHA, result) } diff --git a/pkg/workflow/compile_outputs_comment_test.go b/pkg/workflow/compile_outputs_comment_test.go index 08c51ad40af..20997cae69d 100644 --- a/pkg/workflow/compile_outputs_comment_test.go +++ b/pkg/workflow/compile_outputs_comment_test.go @@ -277,7 +277,7 @@ This workflow tests the safe_outputs job generation. } // Verify the job uses github-script - if !strings.Contains(lockContent, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { + if !strings.Contains(lockContent, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { t.Error("Expected github-script action to be used in safe_outputs job") } diff --git a/pkg/workflow/compile_outputs_issue_test.go b/pkg/workflow/compile_outputs_issue_test.go index dec55ab958e..7f1f5bf6a7a 100644 --- a/pkg/workflow/compile_outputs_issue_test.go +++ b/pkg/workflow/compile_outputs_issue_test.go @@ -391,7 +391,7 @@ This workflow tests the create-issue job generation. } // Verify the job uses github-script - if !strings.Contains(lockContent, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { + if !strings.Contains(lockContent, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { t.Error("Expected github-script action to be used in safe_outputs job") } diff --git a/pkg/workflow/compile_outputs_label_test.go b/pkg/workflow/compile_outputs_label_test.go index a7d90b3e2cd..ed2f75ac708 100644 --- a/pkg/workflow/compile_outputs_label_test.go +++ b/pkg/workflow/compile_outputs_label_test.go @@ -137,7 +137,7 @@ This workflow tests the safe_outputs job generation. } // Verify the job uses github-script - if !strings.Contains(lockContent, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { + if !strings.Contains(lockContent, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { t.Error("Expected github-script action to be used in safe_outputs job") } diff --git a/pkg/workflow/compile_outputs_pr_test.go b/pkg/workflow/compile_outputs_pr_test.go index 5a17ad81952..667b51afd6c 100644 --- a/pkg/workflow/compile_outputs_pr_test.go +++ b/pkg/workflow/compile_outputs_pr_test.go @@ -163,7 +163,7 @@ This workflow tests the create_pull_request job generation. t.Error("Expected 'Process Safe Outputs' (handler manager) step in safe_outputs job") } - if !strings.Contains(lockContentStr, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { + if !strings.Contains(lockContentStr, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { t.Error("Expected github-script action to be used in safe_outputs job") } diff --git a/pkg/workflow/compute_text_lazy_test.go b/pkg/workflow/compute_text_lazy_test.go index 164e7a2cdc5..5981ca3b145 100644 --- a/pkg/workflow/compute_text_lazy_test.go +++ b/pkg/workflow/compute_text_lazy_test.go @@ -103,7 +103,7 @@ Create a report based on repository analysis.` t.Error("Expected compiled workflow to contain text output referencing sanitized step") } // Check that JavaScript is inlined instead of using shared action - if !strings.Contains(lockStr, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { + if !strings.Contains(lockStr, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { t.Error("Expected sanitized step to use inlined JavaScript") } // Check that it does NOT use the old shared action path diff --git a/pkg/workflow/mcp_logs_upload_test.go b/pkg/workflow/mcp_logs_upload_test.go index d330179d953..5ef1d3baf37 100644 --- a/pkg/workflow/mcp_logs_upload_test.go +++ b/pkg/workflow/mcp_logs_upload_test.go @@ -74,8 +74,8 @@ Please navigate to example.com and take a screenshot. t.Error("Expected 'Upload agent artifacts' step to be in generated workflow") } - // Verify the upload step uses actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - if !strings.Contains(lockContentStr, "uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f") { + // Verify the upload step uses actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a + if !strings.Contains(lockContentStr, "uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a") { t.Error("Expected upload-artifact action to be used for artifact upload step") } @@ -176,8 +176,8 @@ This workflow does not use Playwright but should still have MCP logs upload. t.Error("Expected MCP logs path in unified artifact upload even when Playwright is not used") } - // Verify the upload step uses actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - if !strings.Contains(lockContentStr, "uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f") { + // Verify the upload step uses actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a + if !strings.Contains(lockContentStr, "uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a") { t.Error("Expected upload-artifact action to be used for artifact upload step") } diff --git a/pkg/workflow/pr_checkout_test.go b/pkg/workflow/pr_checkout_test.go index 79a50aab6a0..c5e88326f12 100644 --- a/pkg/workflow/pr_checkout_test.go +++ b/pkg/workflow/pr_checkout_test.go @@ -214,8 +214,8 @@ Test workflow with permissions but checkout should be conditional. // If PR checkout is expected, verify it uses JavaScript with require() if tt.expectPRCheckout { - if !strings.Contains(lockStr, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { - t.Error("PR checkout step should use actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") + if !strings.Contains(lockStr, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { + t.Error("PR checkout step should use actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") } // In release mode, the script is loaded via require() from the custom action if !strings.Contains(lockStr, "require(") { @@ -290,8 +290,8 @@ Test workflow with multiple comment triggers. lockStr := string(lockContent) // Verify the checkout step uses actions/github-script - if !strings.Contains(lockStr, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { - t.Error("Expected PR checkout to use actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") + if !strings.Contains(lockStr, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { + t.Error("Expected PR checkout to use actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") } // Verify JavaScript code loads PR checkout module via require() diff --git a/pkg/workflow/pr_ready_for_review_checkout_test.go b/pkg/workflow/pr_ready_for_review_checkout_test.go index 0894ddbf9a0..cf565d0c10e 100644 --- a/pkg/workflow/pr_ready_for_review_checkout_test.go +++ b/pkg/workflow/pr_ready_for_review_checkout_test.go @@ -140,8 +140,8 @@ Test workflow without checkout (has permissions but checkout should be condition // If PR checkout is expected, verify it uses actions/github-script with require() if tt.expectPRCheckout { // Check for actions/github-script usage - if !strings.Contains(lockStr, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { - t.Error("PR checkout step should use actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") + if !strings.Contains(lockStr, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { + t.Error("PR checkout step should use actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") } // Check for require() pattern to load the checkout module if !strings.Contains(lockStr, "require(") { @@ -207,8 +207,8 @@ Test workflow with pull_request triggers. lockStr := string(lockContent) // Verify the checkout uses actions/github-script - if !strings.Contains(lockStr, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { - t.Error("Expected PR checkout to use actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") + if !strings.Contains(lockStr, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { + t.Error("Expected PR checkout to use actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") } // Verify JavaScript loads the checkout module via require() diff --git a/pkg/workflow/redact_secrets_test.go b/pkg/workflow/redact_secrets_test.go index caff688a9cb..726c5e8490a 100644 --- a/pkg/workflow/redact_secrets_test.go +++ b/pkg/workflow/redact_secrets_test.go @@ -302,8 +302,8 @@ Test workflow for secret redaction. } // Verify the redaction step uses actions/github-script - if !strings.Contains(lockStr, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { - t.Error("Expected redaction step to use actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") + if !strings.Contains(lockStr, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { + t.Error("Expected redaction step to use actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") } // Verify the redaction step runs with if: always() diff --git a/pkg/workflow/safe_output_helpers_test.go b/pkg/workflow/safe_output_helpers_test.go index f28b924daec..6bfc31f30db 100644 --- a/pkg/workflow/safe_output_helpers_test.go +++ b/pkg/workflow/safe_output_helpers_test.go @@ -34,7 +34,7 @@ func TestBuildGitHubScriptStep(t *testing.T) { "- name: Setup agent output environment variable", "- name: Test Step", "id: test_step", - "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3", + "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71", "env:", "GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}", "with:", @@ -63,7 +63,7 @@ func TestBuildGitHubScriptStep(t *testing.T) { "- name: Setup agent output environment variable", "- name: Create Issue", "id: create_issue", - "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3", + "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71", "GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}", "GH_AW_ISSUE_TITLE_PREFIX: \"[bot] \"", "GH_AW_ISSUE_LABELS: \"automation,ai\"", @@ -140,8 +140,8 @@ func TestBuildGitHubScriptStep(t *testing.T) { if !strings.Contains(stepsStr, "id:") { t.Error("Expected step to have 'id:' field") } - if !strings.Contains(stepsStr, "uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") { - t.Error("Expected step to use actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3") + if !strings.Contains(stepsStr, "uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") { + t.Error("Expected step to use actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71") } if !strings.Contains(stepsStr, "env:") { t.Error("Expected step to have 'env:' section") diff --git a/pkg/workflow/stop_time_check_job_test.go b/pkg/workflow/stop_time_check_job_test.go index ed30c5fefc3..687b60fccb6 100644 --- a/pkg/workflow/stop_time_check_job_test.go +++ b/pkg/workflow/stop_time_check_job_test.go @@ -58,8 +58,9 @@ This workflow has a stop-after configuration. // Verify safety checks are in pre_activation job, not agent job // Note: With alphabetical job sorting, the order in the file is: // activation, agent, pre_activation - preActivationStart := strings.Index(lockContentStr, "pre_activation:") - agentStart := strings.Index(lockContentStr, "agent:") + // Use indented job keys to avoid matching container image references in the header + preActivationStart := strings.Index(lockContentStr, "\n pre_activation:\n") + agentStart := strings.Index(lockContentStr, "\n agent:\n") safetyChecksPos := strings.Index(lockContentStr, "Check stop-time limit") if safetyChecksPos == -1 { @@ -183,8 +184,13 @@ This workflow requires membership checks. t.Error("Expected activation job") } - activationIdx := strings.Index(lockContentStr, "activation:") - agentIdx := strings.Index(lockContentStr, "agent:") + // Use indented job keys to avoid matching container image references in the header + activationIdx := strings.Index(lockContentStr, "\n activation:\n") + agentIdx := strings.Index(lockContentStr, "\n agent:\n") + + if activationIdx == -1 || agentIdx == -1 { + t.Fatal("Could not find activation or agent job keys in compiled output") + } // Extract activation job section activationSection := lockContentStr[activationIdx:agentIdx] diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden index a17ba7cb006..b4cbddf0a06 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden @@ -64,7 +64,7 @@ jobs: GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -88,7 +88,7 @@ jobs: fetch-depth: 1 - name: Check workflow lock file id: check-lock-file - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_WORKFLOW_FILE: "basic-copilot.lock.yml" GH_AW_CONTEXT_WORKFLOW_REF: "${{ github.workflow_ref }}" @@ -159,7 +159,7 @@ jobs: GH_AW_PROMPT_NORM_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: @@ -169,7 +169,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_GITHUB_ACTOR: ${{ github.actor }} @@ -215,7 +215,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh" - name: Upload activation artifact if: success() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: activation path: | @@ -280,7 +280,7 @@ jobs: id: checkout-pr if: | github.event.pull_request || github.event.issue.pull_request - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: @@ -298,7 +298,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.18 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 env: GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} @@ -307,7 +307,7 @@ jobs: const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18 ghcr.io/github/gh-aw-firewall/squid:0.25.18 ghcr.io/github/gh-aw-mcpg:v0.2.17 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -434,7 +434,7 @@ jobs: bash "${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh" "$GATEWAY_PID" - name: Redact secrets in logs if: always() - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -452,7 +452,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh" - name: Parse agent logs for step summary if: always() - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: @@ -464,7 +464,7 @@ jobs: - name: Parse MCP Gateway logs for step summary if: always() id: parse-mcp-gateway - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -489,7 +489,7 @@ jobs: - name: Parse token usage for step summary if: always() continue-on-error: true - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -499,7 +499,7 @@ jobs: - name: Upload agent artifacts if: always() continue-on-error: true - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: agent path: | @@ -515,7 +515,7 @@ jobs: - name: Upload firewall audit logs if: always() continue-on-error: true - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: firewall-audit-logs path: | @@ -547,7 +547,7 @@ jobs: job-name: ${{ github.job }} - name: Check team membership for workflow id: check_membership - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_REQUIRED_ROLES: "" with: diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden index fe471056be9..b28d55cb585 100644 --- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden +++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden @@ -64,7 +64,7 @@ jobs: GH_AW_INFO_AWMG_VERSION: "" GH_AW_INFO_FIREWALL_TYPE: "squid" GH_AW_COMPILED_STRICT: "true" - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -88,7 +88,7 @@ jobs: fetch-depth: 1 - name: Check workflow lock file id: check-lock-file - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_WORKFLOW_FILE: "with-imports.lock.yml" GH_AW_CONTEXT_WORKFLOW_REF: "${{ github.workflow_ref }}" @@ -160,7 +160,7 @@ jobs: GH_AW_PROMPT_NORM_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt with: @@ -170,7 +170,7 @@ jobs: const { main } = require('${{ runner.temp }}/gh-aw/actions/interpolate_prompt.cjs'); await main(); - name: Substitute placeholders - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt GH_AW_GITHUB_ACTOR: ${{ github.actor }} @@ -216,7 +216,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/print_prompt_summary.sh" - name: Upload activation artifact if: success() - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: activation path: | @@ -281,7 +281,7 @@ jobs: id: checkout-pr if: | github.event.pull_request || github.event.issue.pull_request - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: @@ -299,7 +299,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.18 - name: Determine automatic lockdown mode for GitHub MCP Server id: determine-automatic-lockdown - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 env: GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} @@ -308,7 +308,7 @@ jobs: const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); await determineAutomaticLockdown(github, context, core); - name: Download container images - run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18 ghcr.io/github/gh-aw-firewall/squid:0.25.18 ghcr.io/github/gh-aw-mcpg:v0.2.17 ghcr.io/github/github-mcp-server:v0.32.0 + run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28 - name: Start MCP Gateway id: start-mcp-gateway env: @@ -435,7 +435,7 @@ jobs: bash "${RUNNER_TEMP}/gh-aw/actions/stop_mcp_gateway.sh" "$GATEWAY_PID" - name: Redact secrets in logs if: always() - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -453,7 +453,7 @@ jobs: run: bash "${RUNNER_TEMP}/gh-aw/actions/append_agent_step_summary.sh" - name: Parse agent logs for step summary if: always() - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_AGENT_OUTPUT: /tmp/gh-aw/sandbox/agent/logs/ with: @@ -465,7 +465,7 @@ jobs: - name: Parse MCP Gateway logs for step summary if: always() id: parse-mcp-gateway - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -490,7 +490,7 @@ jobs: - name: Parse token usage for step summary if: always() continue-on-error: true - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 with: script: | const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs'); @@ -500,7 +500,7 @@ jobs: - name: Upload agent artifacts if: always() continue-on-error: true - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: agent path: | @@ -516,7 +516,7 @@ jobs: - name: Upload firewall audit logs if: always() continue-on-error: true - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: firewall-audit-logs path: | @@ -548,7 +548,7 @@ jobs: job-name: ${{ github.job }} - name: Check team membership for workflow id: check_membership - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 + uses: actions/github-script@d746ffe35508b1917358783b479e04febd2b8f71 # v9.0.0 env: GH_AW_REQUIRED_ROLES: "" with: diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 05bab0ef0f8..c7e03f4a936 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -660,7 +660,7 @@ func TestBuildUploadDetectionLogStep(t *testing.T) { expectedComponents := []string{ "name: Upload threat detection log", "if: always()", - "uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f", + "uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a", "name: " + constants.DetectionArtifactName, "path: /tmp/gh-aw/threat-detection/detection.log", "if-no-files-found: ignore",