Fix lock file integrity check for cross-org reusable workflows

[Copilot]

When a reusable workflow in OrgA/repoA is called via workflow_call from OrgB/repoB, the lock file integrity check fails because the caller's GITHUB_TOKEN cannot access OrgA/repoA files via the GitHub API, causing an ERR_CONFIG failure before the agent starts.

Changes

• check_workflow_timestamp_api.cjs: Adds a local filesystem fallback to compareFrontmatterHashes(). When the GitHub API returns null or throws (permission error, 404, etc.), the check falls back to reading from $GITHUB_WORKSPACE/.github/workflows/. This is always safe because the Checkout .github and .agents folders step — which already checks out the source repo (via target_repo in workflow_call contexts) — runs before the timestamp check. Path traversal protection is enforced: resolved paths are validated to stay within $GITHUB_WORKSPACE/.github/workflows/ before any file is read.

  Primary: GitHub API (owner/repo resolved from GITHUB_WORKFLOW_REF)
      ↓ returns null or throws (cross-org permission error)
  Fallback: $GITHUB_WORKSPACE/.github/workflows/ (already checked out)
      ↓ also unavailable
  Fail with ERR_CONFIG (existing behavior)
  

• check_workflow_timestamp_api.test.cjs: Adds 7 tests covering the fallback path — API failure with matching/mismatched local hashes, missing workspace, missing lock file, API-takes-precedence when both are available, catch-block fallback when the .md file API fetch throws after the lock file fetch succeeds, and path traversal rejection.

Works for same-repo, cross-repo same-org (API path), and cross-org reusable workflow calls (filesystem fallback).

[Copilot]

Pull request overview

Fixes workflow lock file integrity checks failing in cross-org reusable workflow calls by adding a local workspace fallback when GitHub API access is unavailable.

Changes:

• Add a $GITHUB_WORKSPACE filesystem fallback for frontmatter hash comparison when GitHub API reads return null or throw.
• Add Vitest coverage for API-failure → local-fallback scenarios.
• Update conclusion job concurrency group strings in two generated workflow lock files.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
actions/setup/js/check_workflow_timestamp_api.cjs	Adds local filesystem fallback logic for frontmatter hash comparison when API access fails.
actions/setup/js/check_workflow_timestamp_api.test.cjs	Adds tests validating success/failure behavior for the new fallback path and API precedence.
.github/workflows/stale-repo-identifier.lock.yml	Changes conclusion job concurrency group to incorporate inputs.organization / github.run_id.
.github/workflows/slide-deck-maintainer.lock.yml	Changes conclusion job concurrency group to incorporate inputs.focus / github.run_id.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Local filesystem fallback builds paths by joining $GITHUB_WORKSPACE with lockFilePath/workflowMdPath, which are derived from GH_AW_WORKFLOW_FILE without any validation. If GH_AW_WORKFLOW_FILE contains path traversal segments (e.g. ../), the fallback could read files outside .github/workflows (and potentially outside the workspace). Consider normalizing with path.resolve() and enforcing that the resolved paths stay under ${GITHUB_WORKSPACE}/.github/workflows, or rejecting workflowFile values containing path separators / ...

[Copilot]

This PR changes the conclusion job concurrency group to include ${{ inputs.organization || github.run_id }}, but the PR description focuses on the lockfile integrity check fallback and doesn’t mention workflow concurrency behavior changes. Please call out this workflow behavior change explicitly (or split it into a separate PR) so reviewers understand the intent and impact.

[Copilot]

This PR changes the conclusion job concurrency group to include ${{ inputs.focus || github.run_id }}, but the PR description focuses on the lockfile integrity check fallback and doesn’t mention workflow concurrency behavior changes. Please call out this workflow behavior change explicitly (or split it into a separate PR) so reviewers understand the intent and impact.

[Copilot]

The new fallback-on-exception path in compareFrontmatterHashes() (catch block that logs Could not compute frontmatter hash via API: and then tries the local filesystem) isn’t covered by tests. Consider adding a test where the lock file fetch succeeds via API but the source .md fetch (via the GitHub fileReader) throws, and assert that the local fallback is attempted and the outcome matches the local hashes.

[pelikhan]

@copilot review comments

[Copilot]

@copilot review comments

Addressed all three reviewer comments in commit 47d01c5:

1. Path traversal protection: Added path.resolve() normalization and validated that both resolved paths stay under ${GITHUB_WORKSPACE}/.github/workflows before any file I/O. A test for this (should reject path traversal in GH_AW_WORKFLOW_FILE) was also added.

2. Missing catch-block test: Added should fall back to local files when API lock file fetch succeeds but md file fetch throws — covers the path where the first API call (lock file) returns content but the second (.md file) throws, triggering the catch-block fallback.

3. Unrelated lock file changes: Reverted slide-deck-maintainer.lock.yml and stale-repo-identifier.lock.yml to their original state from 635bb78.