problem after gh aw update: Two different actions share the exact same commit SHA

[bmerkle]

• scenario:
  I have a existing gh aw workflow
  I want to update this to the latest version of gh aw
  I do a gh aw update
  then i get the error message or warning below Two different actions share the exact same commit

• expected behaviour
  gh aw update should work OOTB

I assume that there are a rename from setup to setup-cli
github/gh-aw-actions/setup-cli@v0.68.1
github/gh-aw-actions/setup@v0.68.1

• error message:
  The review found one critical issue in the changes from gh aw update:

  🔴 Critical: Duplicate SHA in actions-lock.json

  File: .github/aw/actions-lock.json (lines 28–37)

  Two different actions share the exact same commit SHA (2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc):

  • github/gh-aw-actions/setup-cli@v0.68.1
  • github/gh-aw-actions/setup@v0.68.1

  This is cryptographically impossible for two distinct repositories — it strongly suggests a copy-paste error or a bug in the gh aw update tool when generating the lock file.

  Recommended fix: Verify the correct SHA for setup-cli@v0.68.1 from the actual GitHub repository and update the lock file with the accurate value, or re-run gh aw update with a corrected/newer version of
  the tool.

[pelikhan]

@copilot

• Add canary runtime check that enforce two different actions do not share the same sha.
• in --validate mode, add runtime check of sha for each action

[pelikhan]

Those are two different actions hosted in the same repo, it's expected.