feat: list secrets & custom actions in lock file header; move gh-aw-metadata to first line

[Copilot]

Lock files lacked a human-readable manifest of their external dependencies, and gh-aw-metadata was buried after the ASCII banner making machine parsing cumbersome.

Changes

Header structure

• # gh-aw-metadata: {...} is now line 1 of every lock file (before the ASCII logo)
• Two new sections appended after existing header content:
  • # Secrets used: — sorted, deduplicated list of all secrets.* references in the workflow
  • # Custom actions used: — sorted, deduplicated list of all external uses: references (local ./ refs excluded), including inline version tags

Example output

# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"...","strict":true,"agent_id":"copilot"}
#    ___  ...ASCII logo...
# This file was automatically generated by gh-aw. DO NOT EDIT.
# ...
# Secrets used:
#   - COPILOT_GITHUB_TOKEN
#   - GH_AW_GITHUB_TOKEN
#   - GITHUB_TOKEN
#
# Custom actions used:
#   - actions/checkout@de0fac2e... # v6.0.2
#   - actions/github-script@ed5974... # v8
#   - actions/upload-artifact@bbbca2... # v7

name: "My Workflow"

Implementation

• CollectActionReferences(yamlContent string) []string added to redact_secrets.go — regex-based extraction of external uses: values, supporting both uses: ref and - uses: ref YAML forms
• generateYAML now generates the workflow body first, then passes collected secrets/actions into generateWorkflowHeader — avoids a two-pass scan
• generateWorkflowHeader signature extended with secrets []string, actions []string; metadata block moved to top

[pelikhan]

@copilot merge main and recompile

[Copilot]

Pull request overview

This PR improves generated GitHub Actions lock file headers by making external dependencies more human- and machine-readable, primarily by moving the gh-aw-metadata JSON block to the first line and adding explicit manifests for referenced secrets and external actions.

Changes:

• Emit # gh-aw-metadata: {...} as the first line in generated lock files and append new header sections for “Secrets used” and “Custom actions used”.
• Add regex-based extraction for external uses: references (CollectActionReferences) alongside existing secret reference collection.
• Refactor YAML generation to build the workflow body first, then derive secrets/actions lists for the header.

Show a summary per file

File	Description
pkg/workflow/compiler_yaml.go	Refactors YAML generation order; updates header generation to place gh-aw-metadata first and to print secrets/actions manifests.
pkg/workflow/redact_secrets.go	Adds CollectActionReferences and a uses:-matching regex to extract and dedupe external action references.
pkg/workflow/compiler_yaml_helpers_test.go	Updates unit test call site for the expanded generateWorkflowHeader signature.
.github/workflows/*.lock.yml	Regenerates lock files to reflect new header structure (metadata first line; secrets/actions manifests).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

pkg/workflow/redact_secrets.go:80

• CollectActionReferences claims to return a deduplicated list of uses: values, but it deduplicates on entry (ref + optional tag comment). If the same action ref appears with different inline tags/comments (or once with and once without), it will be emitted multiple times. Consider deduplicating by ref and choosing a single display string (e.g., prefer the one with a tag comment when available).

• Files reviewed: 189/189 changed files
• Comments generated: 2

[Copilot]

actionReferencePattern currently requires at least one leading whitespace (^\s+) and does not tolerate trailing whitespace after the ref unless an inline comment is present. This will miss valid uses: lines like uses: actions/checkout@sha or uses: actions/checkout@sha# v4 (no space before #). Consider relaxing the regex to ^\s*(?:-\s+)?uses:\s*(\S+)\s*(?:#\s*(.*))?$ so extraction is resilient to formatting differences.

This issue also appears on line 64 of the same file.

[Copilot]

The new requirement is that # gh-aw-metadata: {...} is line 1 of every lock file for machine parsing, but this header only emits metadata when frontmatterHash != "". If hash computation fails (currently treated as non-fatal), the lock file will revert to starting with the ASCII banner and break the parsing contract. Consider always emitting gh-aw-metadata (allowing empty frontmatter_hash) or making hash computation failure fatal for lockfile generation.

[Copilot]

@copilot merge main and recompile

Done in d41c4e8. Merged origin/main, resolved the 5 modify/delete conflicts (accepting the deletions from main), rebuilt the binary, and recompiled all 179 workflows.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)