From 7c8d61f1d0686206e3ead6198d831a93fc81f5f7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 11 Apr 2026 03:44:30 +0000
Subject: [PATCH] fix: normalize container pins in wasm golden tests to fix
 build-wasm CI job

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/b724d099-3e05-43d9-ac5d-c385d81a0d7c

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/workflow/compiler.go                            | 11 +++++++++++
 .../basic-copilot.golden                            |  2 +-
 .../with-imports.golden                             |  2 +-
 pkg/workflow/wasm_golden_test.go                    |  4 +++-
 scripts/test-wasm-golden.mjs                        | 13 +++++++++++--
 5 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go
index 9b0cbd10eb9..188450b35e1 100644
--- a/pkg/workflow/compiler.go
+++ b/pkg/workflow/compiler.go
@@ -31,6 +31,17 @@ func normalizeHeredocDelimiters(content string) string {
 	return heredocDelimiterRE.ReplaceAllString(content, "GH_AW_${1}_NORM_EOF")
 }
 
+// containerPinRE matches Docker image digest pins of the form @sha256:<64 hex chars>.
+// Used to normalize output that may or may not include container pins depending on
+// whether the action cache is available (native compilation has it, wasm does not).
+var containerPinRE = regexp.MustCompile(`@sha256:[0-9a-f]{64}`)
+
+// normalizeContainerPins strips @sha256:… digest suffixes from Docker image references
+// so that compiled output compares equal regardless of whether the action cache was loaded.
+func normalizeContainerPins(content string) string {
+	return containerPinRE.ReplaceAllString(content, "")
+}
+
 const (
 	// MaxLockFileSize is the maximum allowed size for generated lock workflow files (500KB)
 	MaxLockFileSize = 512000 // 500KB in bytes
diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
index b4cbddf0a06..d1b9a548cb9 100644
--- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
+++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
@@ -307,7 +307,7 @@ jobs:
             const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
             await determineAutomaticLockdown(github, context, core);
       - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18 ghcr.io/github/gh-aw-firewall/squid:0.25.18 ghcr.io/github/gh-aw-mcpg:v0.2.17 ghcr.io/github/github-mcp-server:v0.32.0
       - name: Start MCP Gateway
         id: start-mcp-gateway
         env:
diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden
index b28d55cb585..f63d253c92f 100644
--- a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden
+++ b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden
@@ -308,7 +308,7 @@ jobs:
             const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
             await determineAutomaticLockdown(github, context, core);
       - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18 ghcr.io/github/gh-aw-firewall/squid:0.25.18 ghcr.io/github/gh-aw-mcpg:v0.2.17 ghcr.io/github/github-mcp-server:v0.32.0
       - name: Start MCP Gateway
         id: start-mcp-gateway
         env:
diff --git a/pkg/workflow/wasm_golden_test.go b/pkg/workflow/wasm_golden_test.go
index 8bc9646a723..d21a8dcfa6a 100644
--- a/pkg/workflow/wasm_golden_test.go
+++ b/pkg/workflow/wasm_golden_test.go
@@ -84,7 +84,9 @@ func TestWasmGolden_CompileFixtures(t *testing.T) {
 
 			// Normalize heredoc delimiters before comparing so golden files are
 			// stable across compilations (randomized token is replaced by a placeholder).
-			golden.RequireEqual(t, normalizeHeredocDelimiters(yamlOutput))
+			// Also normalize container pins since the action cache may or may not be
+			// available depending on the environment (native vs wasm).
+			golden.RequireEqual(t, normalizeContainerPins(normalizeHeredocDelimiters(yamlOutput)))
 		})
 	}
 }
diff --git a/scripts/test-wasm-golden.mjs b/scripts/test-wasm-golden.mjs
index 052d46184d4..5e1564772a9 100644
--- a/scripts/test-wasm-golden.mjs
+++ b/scripts/test-wasm-golden.mjs
@@ -140,6 +140,15 @@ function normalizeHeredocDelimiters(content) {
   return content.replace(/GH_AW_([A-Z0-9_]+)_[0-9a-f]{16}_EOF/g, "GH_AW_$1_NORM_EOF");
 }
 
+// ── Normalize container pin digests ──────────────────────────────────
+// Strips @sha256:<64 hex chars> digest suffixes from Docker image references
+// so that compiled output compares equal regardless of whether the action cache
+// was loaded (native compilation has it, wasm does not).
+// Mirrors normalizeContainerPins() in pkg/workflow/compiler.go.
+function normalizeContainerPins(content) {
+  return content.replace(/@sha256:[0-9a-f]{64}/g, "");
+}
+
 // ── Load golden file ─────────────────────────────────────────────────
 function loadGoldenFile(testName) {
   // Golden files follow the charmbracelet/x/exp/golden convention:
@@ -222,8 +231,8 @@ async function main() {
         continue;
       }
 
-      const normalizedWasm = normalizeHeredocDelimiters(wasmYaml);
-      const normalizedGolden = normalizeHeredocDelimiters(goldenYaml);
+      const normalizedWasm = normalizeContainerPins(normalizeHeredocDelimiters(wasmYaml));
+      const normalizedGolden = normalizeContainerPins(normalizeHeredocDelimiters(goldenYaml));
 
       if (normalizedWasm === normalizedGolden) {
         console.log("PASS");