github · pelikhan · Apr 11, 2026 · Apr 11, 2026
diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go
@@ -31,6 +31,17 @@ func normalizeHeredocDelimiters(content string) string {
 	return heredocDelimiterRE.ReplaceAllString(content, "GH_AW_${1}_NORM_EOF")
 }
 
+// containerPinRE matches Docker image digest pins of the form @sha256:<64 hex chars>.
+// Used to normalize output that may or may not include container pins depending on
+// whether the action cache is available (native compilation has it, wasm does not).
+var containerPinRE = regexp.MustCompile(`@sha256:[0-9a-f]{64}`)
+
+// normalizeContainerPins strips @sha256:… digest suffixes from Docker image references
+// so that compiled output compares equal regardless of whether the action cache was loaded.
+func normalizeContainerPins(content string) string {
+	return containerPinRE.ReplaceAllString(content, "")
+}
+
 const (
 	// MaxLockFileSize is the maximum allowed size for generated lock workflow files (500KB)
 	MaxLockFileSize = 512000 // 500KB in bytes

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
@@ -307,7 +307,7 @@ jobs:
             const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
             await determineAutomaticLockdown(github, context, core);
       - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18 ghcr.io/github/gh-aw-firewall/squid:0.25.18 ghcr.io/github/gh-aw-mcpg:v0.2.17 ghcr.io/github/github-mcp-server:v0.32.0
       - name: Start MCP Gateway
         id: start-mcp-gateway
         env:

diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden
@@ -308,7 +308,7 @@ jobs:
             const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
             await determineAutomaticLockdown(github, context, core);
       - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18@sha256:c77e8c26bab6c39e8568d8e2f8c17015944849a8cbcdfb4bd9725d8893725ca2 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3ca6e989896d0cef9f31b9412bb1fcc8755bafcafb95012ae1078539b ghcr.io/github/gh-aw-firewall/squid:0.25.18@sha256:eb102afcfbae26ffcec016adebb74d3be7b0a5bf376ba306599cdf3effbe288e ghcr.io/github/gh-aw-mcpg:v0.2.17@sha256:a6dec6ec535a11c565d982afa2f98589805ed0598862b9ea9d3c751fc71afae8 ghcr.io/github/github-mcp-server:v0.32.0@sha256:2763823c63bcca718ce53850a1d7fcf2f501ec84028394f1b63ce7e9f4f9be28
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.18 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.18 ghcr.io/github/gh-aw-firewall/squid:0.25.18 ghcr.io/github/gh-aw-mcpg:v0.2.17 ghcr.io/github/github-mcp-server:v0.32.0
       - name: Start MCP Gateway
         id: start-mcp-gateway
         env:

diff --git a/pkg/workflow/wasm_golden_test.go b/pkg/workflow/wasm_golden_test.go
@@ -84,7 +84,9 @@ func TestWasmGolden_CompileFixtures(t *testing.T) {
 
 			// Normalize heredoc delimiters before comparing so golden files are
 			// stable across compilations (randomized token is replaced by a placeholder).
-			golden.RequireEqual(t, normalizeHeredocDelimiters(yamlOutput))
+			// Also normalize container pins since the action cache may or may not be
+			// available depending on the environment (native vs wasm).
+			golden.RequireEqual(t, normalizeContainerPins(normalizeHeredocDelimiters(yamlOutput)))
 		})
 	}
 }

diff --git a/scripts/test-wasm-golden.mjs b/scripts/test-wasm-golden.mjs
@@ -140,6 +140,15 @@ function normalizeHeredocDelimiters(content) {
   return content.replace(/GH_AW_([A-Z0-9_]+)_[0-9a-f]{16}_EOF/g, "GH_AW_$1_NORM_EOF");
 }
 
+// ── Normalize container pin digests ──────────────────────────────────
+// Strips @sha256:<64 hex chars> digest suffixes from Docker image references
+// so that compiled output compares equal regardless of whether the action cache
+// was loaded (native compilation has it, wasm does not).
+// Mirrors normalizeContainerPins() in pkg/workflow/compiler.go.
+function normalizeContainerPins(content) {
+  return content.replace(/@sha256:[0-9a-f]{64}/g, "");
+}
+
 // ── Load golden file ─────────────────────────────────────────────────
 function loadGoldenFile(testName) {
   // Golden files follow the charmbracelet/x/exp/golden convention:
@@ -222,8 +231,8 @@ async function main() {
         continue;
       }
 
-      const normalizedWasm = normalizeHeredocDelimiters(wasmYaml);
-      const normalizedGolden = normalizeHeredocDelimiters(goldenYaml);
+      const normalizedWasm = normalizeContainerPins(normalizeHeredocDelimiters(wasmYaml));
+      const normalizedGolden = normalizeContainerPins(normalizeHeredocDelimiters(goldenYaml));
 
       if (normalizedWasm === normalizedGolden) {
         console.log("PASS");