[plan] Fix stale lock check to resolve callee repo for cross-repo reusable workflows

[github-actions]

Objective

Fix the stale lock check for cross-repo reusable workflows so it resolves the callee (reusable workflow's) repo and path rather than the caller repo.

Context

Closes part of #24422. When a workflow uses a cross-repo reusable workflow (e.g., uses: org/repo/.github/workflows/my-workflow.lock.yml@main), the gh-aw stale lock check script uses GH_AW_CONTEXT_WORKFLOW_REF (injected as ${{ github.workflow_ref }}), which refers to the caller workflow's repo. It then tries to find the .md and .lock.yml files in the caller repo, where they don't exist, and fails with "outdated or unverifiable."

The GitHub Actions runtime provides referenced_workflows in the run context, which contains the exact owner, repo, path, and ref of the reusable workflow being called.

Root Cause

actions/setup/js/check_workflow_timestamp_api.cjs uses GITHUB_WORKFLOW_REF / GH_AW_CONTEXT_WORKFLOW_REF to determine the source of truth. For cross-repo reusable workflows, the correct source is the referenced (callee) workflow, not the caller.

The GitHub Actions REST API run object includes a referenced_workflows array where each entry has:

• path — e.g., org/repo/.github/workflows/my-workflow.lock.yml@main
• sha — the commit SHA of the referenced workflow
• ref — the ref

Approach

1. In actions/setup/js/check_workflow_timestamp_api.cjs:
   • When the current workflow is detected as a reusable workflow (i.e., triggered by workflow_call), fetch the parent run's referenced_workflows from the GitHub Actions API.
   • Find the entry matching the current workflow's path.
   • Use that entry's repo, path, and ref to locate the .md and .lock.yml source files instead of GITHUB_WORKFLOW_REF.
2. The GitHub API endpoint to fetch the run is: GET /repos/{owner}/{repo}/actions/runs/{run_id} — the referenced_workflows field is present in the response.
3. The parent run ID can be obtained from the current run's triggering_actor or by checking GITHUB_RUN_ID of the caller; alternatively the reusable workflow run itself exposes referenced_workflows in GET /repos/{owner}/{repo}/actions/runs/{run_id}.
4. Add appropriate error handling if referenced_workflows is empty or the entry is not found.
5. Run make fmt-cjs && make lint-cjs to validate.

Files to Modify

• actions/setup/js/check_workflow_timestamp_api.cjs — detect cross-repo reusable workflow scenario and resolve callee repo/path using referenced_workflows

Acceptance Criteria

• When the workflow is a cross-repo reusable workflow, the stale check resolves the .md and .lock.yml files from the reusable workflow's repo (callee), not the caller repo
• The fix does not regress same-repo reusable workflow stale checks
• The fix does not regress regular (non-reusable) workflow stale checks
• make fmt-cjs && make lint-cjs passes
  Related to Remote workflow call still broken #24422

Generated by Plan Command for issue #24422 · ● 320.3K · ◷

• expires on Apr 6, 2026, 3:28 AM UTC