Auto-recompile gh-aw lock files on Dependabot PRs#114
Open
theletterf wants to merge 5 commits intomainfrom
Open
Auto-recompile gh-aw lock files on Dependabot PRs#114theletterf wants to merge 5 commits intomainfrom
theletterf wants to merge 5 commits intomainfrom
Conversation
Dependabot pins actions to commit SHAs, but `gh aw compile` resolves tags to annotated-tag-object SHAs. The two disagree on actions like actions/github-script, so every Dependabot bump touching gh-aw lock files fails the pre-commit hook. This workflow runs on those PRs, recompiles, and pushes the result back to the Dependabot branch using an ephemeral oblt token so downstream checks re-run. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
|
@reakaleek @Mpdreamz This should avoid Dependabot PRs getting stuck on AW lock files. |
reakaleek
reviewed
Apr 27, 2026
Dependabot branches are same-origin, so pull_request handles the trigger and checkout fine. Declared permissions are still honored on Dependabot pull_request runs, so id-token: write works for the OIDC token. Avoids the pull_request_target footgun. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Prevent the docs-review agent from offering apply-ready GitHub suggestions when Elastic substitution syntax could be escaped by safe-output sanitization. Co-authored-by: GPT-5.5 <gpt-5.5@users.noreply.github.com> Made-with: Cursor
Keep this existing PR focused on its original workflow trigger changes now that the docs-review mitigation has a separate PR. Co-authored-by: GPT-5.5 <gpt-5.5@users.noreply.github.com> Made-with: Cursor
Mpdreamz
requested changes
Apr 28, 2026
| id: create-token | ||
| uses: elastic/oblt-actions/github/create-token@v1.38.1 | ||
| with: | ||
| token-policy: token-policy-8749eaab83f2 |
Member
There was a problem hiding this comment.
Does this require a new policy? this is reusing a token which is bound to a different workflow ref?
Member
Author
There was a problem hiding this comment.
You're right — checked the policy in catalog-info. It's bound to a single workflow_ref:
bound_claims:
workflow_ref: elastic/docs-actions/.github/workflows/check-aw-updates.yml@refs/heads/mainSo this workflow gets rejected on two counts:
- Wrong workflow file (
recompile-aw-on-bump.yml≠check-aw-updates.yml). - Trigger is
pull_request, soworkflow_refwill be…@refs/pull/N/merge, not…@refs/heads/main.
I'll hold this PR until I can open a catalog-info PR to broaden the binding — either a list of allowed refs or a glob covering both workflows and refs/pull/*/merge. Open to a different approach if you'd prefer not to widen this policy (e.g., a separate policy just for this workflow, or a Dependabot-secret PAT). What's your preference?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/recompile-aw-on-bump.yml. On any Dependabot PR that touches.github/workflows/gh-aw-*.lock.yml, it installs the pinnedgh-aw(v0.71.1), runsgh aw compile, and pushes the result back to the Dependabot branch.pull_requestand gates withif: github.actor == 'dependabot[bot]'. Dependabot branches are same-origin so checkout/push work, and workflow-levelpermissions:declarations are honored on Dependabotpull_requestruns (soid-token: writefor the OIDC token still works).elastic/oblt-actions/github/create-tokenephemeral token (same onecheck-aw-updates.ymluses), so downstream status checks re-run after the fixup commit.Why
Dependabot pins actions to commit SHAs (e.g.
actions/github-script@3a2844b…), butgh aw compileresolves the samev9tag to its annotated tag object SHA (373c709c…). They disagree, so every Dependabot bump that lands inside the gh-aw lock files trips thecompile-workflowspre-commit hook. We hit this on #112 and will keep hitting it. This workflow makes the fix automatic instead of manual.Test plan
Lock files already match a fresh compile).🤖 Generated with Claude Code