Pin github/gh-aw-actions to commit SHA and add pinning guard#749
Conversation
The agentic workflows referenced github/gh-aw-actions/setup and setup-cli by mutable tag (@v0.77.5) because .github/aw/actions-lock.json still carried a stale pre-migration entry (github/gh-aw/actions/setup@v0.71.5) with no entry for the action the compiled workflows actually use. With no matching lock entry, gh aw compile fell back to emitting the bare tag. Refresh the lock with SHA-pinned entries for github/gh-aw-actions/setup@v0.77.5 and setup-cli@v0.77.5 (commit 3ea13c02...), and regenerate the workflows via gh aw compile so every uses: ref, decorative comment, and manifest sha is pinned. This mirrors how dotnet/msbuild pins the same action and unblocks enabling org-level "require actions pinned to a full-length commit SHA". Also add enforce-action-pinning.yml, a self-contained PR/push check that fails any workflow referencing an action by tag/branch. The agentic workflows are schedule/issue-triggered and never run on PRs, so neither /evaluate nor the runtime org policy gates them pre-merge; this check does. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
AbhitejJohn
requested review from
JanKrivanek,
ViktorHofer,
dbreshears and
timheuer
as code owners
There was a problem hiding this comment.
Pull request overview
Pins github/gh-aw-actions references to a full commit SHA across the repo’s agentic workflow outputs and adds a CI guard to prevent reintroducing tag/branch-based uses: references, aligning with the org policy requirement for immutable action references.
Changes:
- Updated
.github/aw/actions-lock.jsonto includegithub/gh-aw-actions/setupandsetup-clientries forv0.77.5resolving to3ea13c02d765410340d533515cb31a7eef2baaf0. - Replaced
uses: github/gh-aw-actions/*@v0.77.5with@3ea13c02…(and updated manifests/comments) across multiple generated*.lock.ymlworkflows and related workflows. - Added a new
enforce-action-pinning.ymlworkflow to fail PRs/pushes that introduce unpinneduses:references.
Show a summary per file
| File | Description |
|---|---|
| .github/aw/actions-lock.json | Adds/updates lock entries so gh aw compile can emit SHA-pinned refs for gh-aw-actions actions. |
| .github/workflows/validate-pat-pool.yml | Pins github/gh-aw-actions/setup to a full commit SHA. |
| .github/workflows/pr-malicious-scan.agent.lock.yml | Updates gh-aw manifest/commentary and uses: refs to SHA for github/gh-aw-actions/setup. |
| .github/workflows/markdown-linter.lock.yml | Updates gh-aw manifest/commentary and uses: refs to SHA for github/gh-aw-actions/setup. |
| .github/workflows/issue-triage.lock.yml | Updates gh-aw manifest/commentary and uses: refs to SHA for github/gh-aw-actions/setup. |
| .github/workflows/issue-investigate.lock.yml | Updates gh-aw manifest/commentary and uses: refs to SHA for github/gh-aw-actions/setup. |
| .github/workflows/devops-health-investigate.lock.yml | Updates gh-aw manifest/commentary and uses: refs to SHA for github/gh-aw-actions/setup. |
| .github/workflows/devops-health-groom.lock.yml | Updates gh-aw manifest/commentary and uses: refs to SHA for github/gh-aw-actions/setup. |
| .github/workflows/devops-health-check.lock.yml | Updates gh-aw manifest/commentary and uses: refs to SHA for github/gh-aw-actions/setup. |
| .github/workflows/close-stale-prs.agent.lock.yml | Updates gh-aw manifest/commentary and uses: refs to SHA for github/gh-aw-actions/setup. |
| .github/workflows/agentics-maintenance.yml | Pins github/gh-aw-actions/setup and setup-cli to the full commit SHA. |
| .github/workflows/enforce-action-pinning.yml | Adds a CI job to detect and fail on unpinned uses: references in workflows. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 12/12 changed files
- Comments generated: 1
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Do we need that? AFAIK, there's a repository setting to enforce that which would make actions running on PRs complain. Anything beyond that feels like over-engineering. |
|
Fair challenge — and you're right that the org/repo setting ("Require actions to be pinned to a full-length commit SHA") is the primary control, so I don't want to over-build here. The one gap I'd flag: that policy is enforced per run, at runtime — it fails a workflow when it executes, it isn't a static scan of the repo. The catch for these files is that none of the gh-aw workflows are That said, it's a judgment call, not a hill — it is strictly more than the msbuild pattern, which has no such guard. If you'd rather lean entirely on the repo setting and keep things lean, I'm happy to drop — Copilot |
|
Yes, I would drop that workflow. We don't do that in any other repository. |
Drop the CI guard in favor of relying on the org/repo 'Require actions pinned to a full-length commit SHA' setting, per review feedback. The lock-file fix and SHA pins remain the root-cause fix. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Done — dropped — Copilot |
What & why
GitHub's org policy "Require actions to be pinned to a full-length commit SHA" fails any workflow run that references an action by tag at runtime. Every workflow that uses the agentic-workflow (
gh-aw) setup actions was referencing them by bare tag (github/gh-aw-actions/setup@v0.77.5,setup-cli@v0.77.5), so they would break once the policy is enabled. This mirrors how dotnet/msbuild pins the same actions to a SHA.Root cause
gh aw compilepinsuses:refs from.github/aw/actions-lock.json. That lock file was stale: it still held a pre-migration slash-path entry (github/gh-aw/actions/setup) and had no entry for the hyphen-path action the workflows actually use (github/gh-aw-actions/setup). With no matching lock entry, the compiler emitted a bare tag instead of a SHA. (PR #736 removed the old hyphen entry without a replacement.)Changes
.github/aw/actions-lock.json— load-bearing fix: add hyphen-path entries forgithub/gh-aw-actions/setup@v0.77.5andsetup-cli@v0.77.5, both resolving to SHA3ea13c02d765410340d533515cb31a7eef2baaf0. This makes futuregh aw compileruns emit SHA pins instead of bare tags, so the fix survives regeneration.gh-awaction references across the 8*.lock.ymlfiles plusagentics-maintenance.ymlandvalidate-pat-pool.yml—uses:, the decorative# vXcomments, and the manifestshafields — to@3ea13c02…baaf0 # v0.77.5..github/workflows/enforce-action-pinning.yml— a self-contained CI guard that fails a PR if any workflow references an action by tag (exempts local.//../anddocker://refs). This is the only PR-time gate for the generated.lock.ymlfiles, since none of the gh-aw workflows arepull_request-triggered. (This guard is an addition beyond the msbuild pattern.)Verification
3ea13c02…baaf0is the commit that annotated tagv0.77.5ofgithub/gh-aw-actionspoints to (same method that reproduces msbuild's v0.78.3 →8cfea5ae…pin exactly).gh awpinned to v0.77.5 and rangh aw compile— output was byte-identical to these hand edits (git diffunchanged across all generated files). The runtime version is unchanged (still v0.77.5); this only changes tag → SHA.Follow-ups (repo/org settings, not in this PR)
After merge, enable the org policy "Require actions to be pinned to a full-length commit SHA" and turn on immutable releases/tags.
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com