fix: SHA-pin actions/setup in agentics-maintenance.yml generation (#18378)

Copilot · web-flow · commit bef7c14b4ae2 · 2026-02-25T22:52:47.000-08:00
diff --git a/pkg/cli/pr_command_test.go b/pkg/cli/pr_command_test.go
@@ -180,10 +180,4 @@ func TestNewPRTransferSubcommand(t *testing.T) {
 	if repoFlag == nil {
 		t.Error("Expected --repo flag to exist")
 	}
-
-	// Check that --verbose flag exists
-	verboseFlag := cmd.Flags().Lookup("verbose")
-	if verboseFlag == nil {
-		t.Error("Expected --verbose flag to exist")
-	}
 }
diff --git a/pkg/workflow/action_pins_test.go b/pkg/workflow/action_pins_test.go
@@ -297,9 +297,9 @@ func TestApplyActionPinToStep(t *testing.T) {
 func TestGetActionPinsSorting(t *testing.T) {
 	pins := getActionPins()
 
-	// Verify we got all the pins (37 as of February 2026)
-	if len(pins) != 37 {
-		t.Errorf("getActionPins() returned %d pins, expected 37", len(pins))
+	// Verify we got all the pins (39 as of February 2026)
+	if len(pins) != 39 {
+		t.Errorf("getActionPins() returned %d pins, expected 39", len(pins))
 	}
 
 	// Verify they are sorted by version (descending) then by repository name (ascending)
diff --git a/pkg/workflow/action_reference.go b/pkg/workflow/action_reference.go
@@ -22,14 +22,14 @@ const (
 //   - actionMode: The action mode (dev or release)
 //   - version: The version string to use for release mode
 //   - actionTag: Optional override tag/SHA (takes precedence over version when in release mode)
-//   - data: Optional WorkflowData for SHA resolution (can be nil for standalone use)
+//   - resolver: Optional ActionSHAResolver for dynamic SHA resolution (can be nil for standalone use)
 //
 // Returns:
 //   - For dev mode: "./actions/setup" (local path)
-//   - For release mode with data: "github/gh-aw/actions/setup@<sha> # <version>" (SHA-pinned)
-//   - For release mode without data: "github/gh-aw/actions/setup@<version>" (tag-based, SHA resolved later)
+//   - For release mode with resolver: "github/gh-aw/actions/setup@<sha> # <version>" (SHA-pinned)
+//   - For release mode without resolver: "github/gh-aw/actions/setup@<version>" (tag-based, SHA resolved later)
 //   - Falls back to local path if version is invalid in release mode
-func ResolveSetupActionReference(actionMode ActionMode, version string, actionTag string, data *WorkflowData) string {
+func ResolveSetupActionReference(actionMode ActionMode, version string, actionTag string, resolver ActionSHAResolver) string {
 	localPath := "./actions/setup"
 
 	// Dev mode - return local path
@@ -55,25 +55,23 @@ func ResolveSetupActionReference(actionMode ActionMode, version string, actionTa
 		}
 
 		// Construct the remote reference with tag: github/gh-aw/actions/setup@tag
-		remoteRef := fmt.Sprintf("%s/%s@%s", GitHubOrgRepo, actionPath, tag)
-
-		// If WorkflowData is available, try to resolve the SHA
-		if data != nil {
-			actionRepo := fmt.Sprintf("%s/%s", GitHubOrgRepo, actionPath)
-			pinnedRef, err := GetActionPinWithData(actionRepo, tag, data)
-			if err != nil {
-				// In strict mode, GetActionPinWithData returns an error
-				actionRefLog.Printf("Failed to pin action %s@%s: %v", actionRepo, tag, err)
-				return ""
-			}
-			if pinnedRef != "" {
-				// Successfully resolved to SHA
+		actionRepo := fmt.Sprintf("%s/%s", GitHubOrgRepo, actionPath)
+		remoteRef := fmt.Sprintf("%s@%s", actionRepo, tag)
+
+		// If a resolver is available, try to resolve the SHA
+		if resolver != nil {
+			sha, err := resolver.ResolveSHA(actionRepo, tag)
+			if err == nil && sha != "" {
+				pinnedRef := formatActionReference(actionRepo, sha, tag)
 				actionRefLog.Printf("Release mode: resolved %s to SHA-pinned reference: %s", remoteRef, pinnedRef)
 				return pinnedRef
 			}
+			if err != nil {
+				actionRefLog.Printf("Failed to resolve SHA for %s@%s: %v", actionRepo, tag, err)
+			}
 		}
 
-		// If WorkflowData is not available or SHA resolution failed, return tag-based reference
+		// If no resolver or SHA resolution failed, return tag-based reference
 		// This is for backward compatibility with standalone workflow generators
 		actionRefLog.Printf("Release mode: using tag-based remote action reference: %s (SHA will be resolved later)", remoteRef)
 		return remoteRef
@@ -104,11 +102,15 @@ func (c *Compiler) resolveActionReference(localActionPath string, data *Workflow
 	// For ./actions/setup, check for compiler-level actionTag override first
 	if localActionPath == "./actions/setup" {
 		// Use compiler actionTag if available, otherwise check features
+		var resolver ActionSHAResolver
+		if data != nil && data.ActionResolver != nil {
+			resolver = data.ActionResolver
+		}
 		if c.actionTag != "" {
-			return ResolveSetupActionReference(c.actionMode, c.version, c.actionTag, data)
+			return ResolveSetupActionReference(c.actionMode, c.version, c.actionTag, resolver)
 		}
 		if !hasActionTag {
-			return ResolveSetupActionReference(c.actionMode, c.version, "", data)
+			return ResolveSetupActionReference(c.actionMode, c.version, "", resolver)
 		}
 	}
 
diff --git a/pkg/workflow/action_reference_test.go b/pkg/workflow/action_reference_test.go
@@ -341,20 +341,14 @@ func TestResolveSetupActionReference(t *testing.T) {
 }
 
 func TestResolveSetupActionReferenceWithData(t *testing.T) {
-	t.Run("release mode with WorkflowData resolves SHA", func(t *testing.T) {
+	t.Run("release mode with resolver resolves SHA", func(t *testing.T) {
 		// Create mock action resolver and cache
 		cache := NewActionCache("")
 		resolver := NewActionResolver(cache)
 
-		data := &WorkflowData{
-			ActionResolver: resolver,
-			ActionCache:    cache,
-			StrictMode:     false,
-		}
-
 		// The resolver will fail to resolve github/gh-aw/actions/setup@v1.0.0
 		// since it's not a real tag, but it should fall back gracefully
-		ref := ResolveSetupActionReference(ActionModeRelease, "v1.0.0", "", data)
+		ref := ResolveSetupActionReference(ActionModeRelease, "v1.0.0", "", resolver)
 
 		// Without a valid pin or successful resolution, should return tag-based reference
 		expectedRef := "github/gh-aw/actions/setup@v1.0.0"
@@ -363,7 +357,7 @@ func TestResolveSetupActionReferenceWithData(t *testing.T) {
 		}
 	})
 
-	t.Run("release mode with nil data returns tag-based reference", func(t *testing.T) {
+	t.Run("release mode with nil resolver returns tag-based reference", func(t *testing.T) {
 		ref := ResolveSetupActionReference(ActionModeRelease, "v1.0.0", "", nil)
 		expectedRef := "github/gh-aw/actions/setup@v1.0.0"
 		if ref != expectedRef {
diff --git a/pkg/workflow/action_resolver.go b/pkg/workflow/action_resolver.go
@@ -11,6 +11,11 @@ import (
 
 var resolverLog = logger.New("workflow:action_resolver")
 
+// ActionSHAResolver is the minimal interface for resolving an action tag to its commit SHA.
+type ActionSHAResolver interface {
+	ResolveSHA(repo, version string) (string, error)
+}
+
 // ActionResolver handles resolving action SHAs using GitHub CLI
 type ActionResolver struct {
 	cache             *ActionCache
diff --git a/pkg/workflow/maintenance_workflow.go b/pkg/workflow/maintenance_workflow.go
@@ -149,9 +149,12 @@ jobs:
 `)
 
 	// Get the setup action reference (local or remote based on mode)
-	// Pass nil for data since maintenance workflow doesn't have WorkflowData
-	// In release mode without data, it will return tag-based reference
-	setupActionRef := ResolveSetupActionReference(actionMode, version, actionTag, nil)
+	// Use the first available WorkflowData's ActionResolver to enable SHA pinning
+	var resolver ActionSHAResolver
+	if len(workflowDataList) > 0 && workflowDataList[0].ActionResolver != nil {
+		resolver = workflowDataList[0].ActionResolver
+	}
+	setupActionRef := ResolveSetupActionReference(actionMode, version, actionTag, resolver)
 
 	// Add checkout step only in dev mode (for local action paths)
 	if actionMode == ActionModeDev {
diff --git a/pkg/workflow/maintenance_workflow_test.go b/pkg/workflow/maintenance_workflow_test.go
@@ -287,6 +287,43 @@ func TestGenerateMaintenanceWorkflow_ActionTag(t *testing.T) {
 		}
 	})
 
+	t.Run("release mode with action-tag and resolver uses SHA-pinned ref", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		// Set up an action resolver with a cached SHA for the setup action
+		cache := NewActionCache(tmpDir)
+		cache.Set("github/gh-aw/actions/setup", "v0.47.4", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
+		resolver := NewActionResolver(cache)
+
+		workflowDataListWithResolver := []*WorkflowData{
+			{
+				Name:              "test-workflow",
+				ActionResolver:    resolver,
+				ActionPinWarnings: make(map[string]bool),
+				SafeOutputs: &SafeOutputsConfig{
+					CreateIssues: &CreateIssuesConfig{
+						Expires: 48,
+					},
+				},
+			},
+		}
+
+		err := GenerateMaintenanceWorkflow(workflowDataListWithResolver, tmpDir, "v1.0.0", ActionModeRelease, "v0.47.4", false)
+		if err != nil {
+			t.Fatalf("Unexpected error: %v", err)
+		}
+		content, err := os.ReadFile(filepath.Join(tmpDir, "agentics-maintenance.yml"))
+		if err != nil {
+			t.Fatalf("Expected maintenance workflow to be generated: %v", err)
+		}
+		expectedRef := "github/gh-aw/actions/setup@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa # v0.47.4"
+		if !strings.Contains(string(content), expectedRef) {
+			t.Errorf("Expected SHA-pinned ref %q, got:\n%s", expectedRef, string(content))
+		}
+		if strings.Contains(string(content), "uses: ./actions/setup") {
+			t.Errorf("Expected no local path in release mode with action-tag, got:\n%s", string(content))
+		}
+	})
+
 	t.Run("dev mode ignores action-tag and uses local path", func(t *testing.T) {
 		tmpDir := t.TempDir()
 		err := GenerateMaintenanceWorkflow(workflowDataList, tmpDir, "v1.0.0", ActionModeDev, "v0.47.4", false)

Original file line number	Diff line number	Diff line change
`@@ -180,10 +180,4 @@ func TestNewPRTransferSubcommand(t *testing.T) {`
`180`	`180`	`if repoFlag == nil {`
`181`	`181`	`t.Error("Expected --repo flag to exist")`
`182`	`182`	`}`
`183`		`-`
`184`		`- // Check that --verbose flag exists`
`185`		`- verboseFlag := cmd.Flags().Lookup("verbose")`
`186`		`- if verboseFlag == nil {`
`187`		`- t.Error("Expected --verbose flag to exist")`
`188`		`- }`
`189`	`183`	`}`