Skip to content

fix: SHA-pinned actions lose version comment when SkipHardcodedFallback is set#46122

Merged
pelikhan merged 4 commits into
mainfrom
copilot/determine-avenger-lock-changes
Jul 17, 2026
Merged

fix: SHA-pinned actions lose version comment when SkipHardcodedFallback is set#46122
pelikhan merged 4 commits into
mainfrom
copilot/determine-avenger-lock-changes

Conversation

Copilot AI commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

When GH_HOST is non-github.com or the git remote doesn't resolve to github.com (common in sandbox/CI), SkipHardcodedFallback=true caused resolveActionPinFromHardcodedPins to skip all hardcoded lookups — including SHA→version resolution. The fallback then emitted FormatPinnedActionReference(repo, sha, sha), replacing # v7.0.0 with # 9c091bb... in lock files on every recompile.

Root cause

SkipHardcodedFallback guards against using bundled version→SHA mappings on non-github.com hosts (stale pin risk). The guard was also applied to SHA→version lookups, which are purely informational and host-independent.

Fix

  • pkg/actionpins/actionpins.go: Change early-return condition from if ctx.SkipHardcodedFallback to if ctx.SkipHardcodedFallback && !isAlreadySHA in resolveActionPinFromHardcodedPins
// Before: skipped hardcoded lookup entirely
if ctx.SkipHardcodedFallback {
    return "", false
}

// After: still skip version→SHA lookup, but allow SHA→version for comment resolution
if ctx.SkipHardcodedFallback && !isAlreadySHA {
    return "", false
}
  • actionpins_internal_test.go / spec_test.go: Regression tests — SHA-pinned action with SkipHardcodedFallback=true must still produce # v7.0.0, not # <sha>.

Copilot AI and others added 3 commits July 17, 2026 03:39
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…edFallback is set

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…hedule churn)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title fix: preserve version comment for SHA-pinned actions when SkipHardcodedFallback is set fix: SHA-pinned actions lose version comment when SkipHardcodedFallback is set Jul 17, 2026
Copilot AI requested a review from pelikhan July 17, 2026 03:53
@pelikhan
pelikhan marked this pull request as ready for review July 17, 2026 06:02
Copilot AI review requested due to automatic review settings July 17, 2026 06:02
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #46122 does not have the 'implementation' label and has only 56 new lines of code in business logic directories (threshold: 100).

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

PR Code Quality Reviewer completed the code quality review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes SHA-pinned action version comments when hardcoded version-to-SHA fallback is disabled.

Changes:

  • Allows exact SHA-to-version metadata lookup.
  • Adds internal and public regression tests.
  • Regenerates the release lock manifest.
Show a summary per file
File Description
pkg/actionpins/actionpins.go Permits SHA-to-version lookup during skipped fallback.
pkg/actionpins/actionpins_internal_test.go Tests internal resolution behavior.
pkg/actionpins/spec_test.go Tests the public API regression.
.github/workflows/release.lock.yml Restores the setup-go version metadata.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 2
  • Review effort level: Medium

// However, when version is already a SHA (isAlreadySHA), the lookup is purely
// SHA→version (to find a human-readable version label for the comment). That
// operation carries no security risk regardless of host, so it is always allowed.
if ctx.SkipHardcodedFallback && !isAlreadySHA {
assert.Contains(t, result, "actions/checkout@", "result should reference actions/checkout")
})

t.Run("SHA-pinned action with SkipHardcodedFallback=true still produces version comment", func(t *testing.T) {

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean, well-scoped fix. The narrowed guard () is correct — SHA→version lookup is purely informational and host-independent, so allowing it through even on non-github.com hosts carries no security risk. The regression tests are explicit and adequately cover both the blocked path (version→SHA still skipped) and the newly allowed path (SHA→version proceeds). Lock file change confirms the fix works end-to-end.

🔎 Code quality review by PR Code Quality Reviewer · 10.5 AIC · ⌖ 4.28 AIC · ⊞ 5.6K
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /diagnosing-bugs and /tdd — approving with one minor suggestion.

📋 Key Themes & Highlights

Fix Quality

  • ✅ Root cause correctly identified: SkipHardcodedFallback guarded SHA→version lookups even though those are host-independent and informational only
  • ✅ The one-line condition change (&& !isAlreadySHA) is minimal and surgical
  • ✅ Regression tests added at both internal and public API levels — solid coverage of the exact failure mode
  • ✅ Test names read as specifications and clearly document the pre-fix failure

Minor Issue

  • Log message on line 399 still says skipping hardcoded pin lookup but now only fires for version→SHA requests — see inline comment for a suggested update.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 16.5 AIC · ⌖ 4.41 AIC · ⊞ 6.7K
Comment /matt to run again

// However, when version is already a SHA (isAlreadySHA), the lookup is purely
// SHA→version (to find a human-readable version label for the comment). That
// operation carries no security risk regardless of host, so it is always allowed.
if ctx.SkipHardcodedFallback && !isAlreadySHA {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/diagnosing-bugs] The log message still says "skipping hardcoded pin lookup" but now only fires for version→SHA lookups — slightly misleading when reading logs.

💡 Suggested update
actionPinsLog.Printf("SkipHardcodedFallback set, skipping version→SHA hardcoded pin lookup for %s@%s", actionRepo, version)

This makes it clearer in debug logs that SHA→version lookups are still allowed.

@copilot please address this.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix is correct and well-tested.

Root cause & fix: SkipHardcodedFallback was unconditionally skipping all hardcoded-pin lookups. The fix restricts the skip to version→SHA lookups (!isAlreadySHA), which is the only case where bundled data could introduce stale/wrong pins on non-github.com hosts. SHA→version lookups are purely informational (no security risk), so they are now always allowed.

Tests: Both the internal and public-API regression tests directly exercise the before/after behavior using a real embedded pin (actions/checkout), making them meaningful rather than mock-driven.

Lock file: The manifest update (actions/setup-go gaining its v7.0.0 comment) is a correct side-effect of the fix.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 12.9 AIC · ⌖ 4.31 AIC · ⊞ 5K

@github-actions github-actions Bot mentioned this pull request Jul 17, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🧪 Test Quality Sentinel Report

Test Quality Score: 85/100 — Excellent

Analyzed 6 test function(s) (10 subtests): 6 design, 0 implementation, 0 violation(s).

📊 Metrics (6 tests)
Metric Value
Analyzed 6 (Go: 6, JS: 0)
✅ Design 6 (100%)
⚠️ Implementation 0 (0%)
Edge/error coverage 5 (83%)
Duplicate clusters 0
Inflation Yes (test:prod ≈ 8:1; -10 pts)
🚨 Violations 0
Test File Classification Issues
TestResolveExactHardcodedPin_BySHA actionpins_internal_test.go:335 design_test / high_value None
TestResolveExactHardcodedPin_ByVersion actionpins_internal_test.go:344 design_test / high_value None
TestResolveExactHardcodedPin_NoMatch actionpins_internal_test.go:354 design_test / high_value None
TestResolveExactHardcodedPin_VersionTakesPrecedenceOverSHA actionpins_internal_test.go:363 design_test / high_value None
TestResolveActionPinFromHardcodedPins_SkipHardcodedFallback actionpins_internal_test.go:432 design_test / high_value None
TestSpec_PublicAPI_ResolveActionPin_SkipHardcodedFallback spec_test.go:339 design_test / high_value None

Verdict

Passed. 0% implementation tests (threshold: 30%). Tests directly exercise the regression described in the PR — SHA-pinned actions under SkipHardcodedFallback=true now emit correct version comments. The inline regression subtest ("SHA-pinned action with SkipHardcodedFallback=true still produces version comment") is particularly valuable: it documents the before/after contract and will catch any future regressions. Test inflation (8:1 added lines) is expected given the focused production fix and the need for thorough behavioral coverage of the new resolveExactHardcodedPin extraction.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🧪 Test quality analysis by Test Quality Sentinel · 44.1 AIC · ⌖ 7.93 AIC · ⊞ 6.8K ·
Comment /review to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 85/100. 0% implementation tests (threshold: 30%). All new tests classify as design tests with strong behavioral contracts directly exercising the regression fix.

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 17, 2026

Copy link
Copy Markdown
Contributor Author

@copilot run pr-finisher skill

Done in 6c23e60. I addressed the in-scope review feedback by clarifying the exported SkipHardcodedFallback contract, aligning the public spec test comment, and tightening the debug log wording. Local validation passed (go test ./pkg/actionpins -run 'SkipHardcodedFallback', make fmt, make lint, make test-unit, make test, make agent-report-progress). PR mergeability is clean; CI on the new HEAD is still unverified until a maintainer re-triggers it.

@pelikhan
pelikhan merged commit c3d6a28 into main Jul 17, 2026
25 checks passed
@pelikhan
pelikhan deleted the copilot/determine-avenger-lock-changes branch July 17, 2026 06:37
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants