Skip to content

fix update consumers workflow #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
derekmisler merged 1 commit into from
Apr 29, 2026
Merged

fix update consumers workflow #158

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/update-consumers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,27 @@ jobs:
- name: Setup credentials
uses: ./.github/actions/setup-credentials

- name: Checkout source for build
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: docker/cagent-action
ref: ${{ github.workflow_sha }}
Copy link
Copy Markdown
Contributor

@docker-agent docker-agent Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Checkout for build uses github.workflow_sha instead of the release SHA, potentially building the CLI from the wrong ref

The new "Checkout source for build" step uses ref: ${{ github.workflow_sha }} — the SHA of the commit that contains the workflow file (typically the current HEAD of main). However, the workflow's purpose is to propagate a specific validated release SHA (steps.resolve.outputs.sha) to consumer repositories.

This creates a semantic mismatch: the dist/signed-commit.js CLI that's built and then used in the "Discover and update consumer repos" step to create signed commits in consumer repos is compiled from a different commit than the release being propagated. If main has moved ahead of the release (which is the common case), consumers will be updated to release SHA X, but the CLI binary that performs those updates was built from a newer, unreleased commit.

Consider whether the intent is:

  • Build from the release SHA (consistent, reproducible): use ref: ${{ steps.resolve.outputs.sha }}
  • Build from the latest workflow infra (always up-to-date tooling): the current github.workflow_sha is intentional, but this should be documented with a comment explaining the design choice, since it means the CLI used to update consumers is not the same version being released to them.
      - name: Checkout source for build
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: docker/cagent-action
          ref: ${{ github.workflow_sha }}  # <-- builds from main HEAD, not the release SHA

persist-credentials: false

- name: Setup pnpm
uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
with:
run_install: false

- name: Setup Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 24
cache: pnpm

- name: Build signed-commit CLI
run: pnpm install --frozen-lockfile && pnpm build

- name: Discover and update consumer repos
env:
GH_TOKEN: ${{ env.GITHUB_APP_TOKEN }}
Expand Down
Loading