Update action SHA pins in tests to match latest action_pins.json#18742
Merged
lpcox merged 2 commits intoclaude/update-payload-paths-and-size-controlfrom Feb 27, 2026
Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix failing GitHub Actions workflow test
Update action SHA pins in tests to match latest action_pins.json
Feb 27, 2026
lpcox
merged commit 8ace2cf
into
claude/update-payload-paths-and-size-control
1 check passed
lpcox
deleted the
copilot/fix-github-actions-workflow-243d581c-b577-4850-980a-b3179521bc56
branch
Contributor
There was a problem hiding this comment.
Pull request overview
Updates Go test expectations for pinned GitHub Actions commit SHAs to match the latest entries in pkg/workflow/data/action_pins.json, resolving failures caused by GetActionPin() now returning newer pins.
Changes:
- Updated expected SHA pins for runtime setup actions (setup-python, setup-uv, setup-dotnet, setup-java, setup-go) in
runtime_setup_test.go. - Updated expected SHA pins for artifact actions (download-artifact, upload-artifact) across multiple workflow generation tests.
- Aligned test assertions with newly compiled workflow outputs that emit the refreshed SHAs.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/runtime_setup_test.go | Updates expected SHAs for runtime setup actions to match refreshed pins. |
| pkg/workflow/safe_output_helpers_test.go | Updates expected SHA for actions/download-artifact in safe outputs download step test. |
| pkg/workflow/compile_outputs_pr_test.go | Updates expected SHA for actions/download-artifact in PR compile output test. |
| pkg/workflow/compiler_artifacts_test.go | Updates expected SHA for actions/upload-artifact in artifacts compilation tests. |
| pkg/workflow/git_patch_test.go | Updates expected SHA for actions/upload-artifact in git patch workflow test. |
| pkg/workflow/mcp_logs_upload_test.go | Updates expected SHA for actions/upload-artifact in MCP logs upload workflow tests. |
| pkg/workflow/threat_detection_test.go | Updates expected SHA for actions/upload-artifact in threat detection log upload step test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
309
to
313
| expectSteps: 1, | ||
| checkContent: []string{ | ||
| "Setup Python", | ||
| "actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065", | ||
| "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405", | ||
| "python-version: '3.11'", |
There was a problem hiding this comment.
These tests hardcode specific action SHAs, which will require churn whenever pkg/workflow/data/action_pins.json is updated. Consider deriving the expected pin via GetActionPin("actions/setup-python") (and similar) and asserting against the returned SHA/reference, as done in pkg/workflow/action_sha_validation_test.go, to keep tests aligned with the pins file automatically.
| "- name: Download agent output artifact", | ||
| "continue-on-error: true", | ||
| "uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53", | ||
| "uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3", |
There was a problem hiding this comment.
This assertion is tied to a specific download-artifact commit SHA. To avoid future breakage when action_pins.json updates, consider building the expected string from GetActionPin("actions/download-artifact") (or extracting just the SHA) instead of hardcoding the hash.
Suggested change
| "uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3", | |
| "uses: " + GetActionPin("actions/download-artifact"), |
Comment on lines
633
to
636
| "name: Upload threat detection log", | ||
| "if: always()", | ||
| "uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f", | ||
| "uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f", | ||
| "name: threat-detection.log", |
There was a problem hiding this comment.
Hardcoding the upload-artifact SHA here makes the test brittle when the pinned version in action_pins.json is refreshed. Consider using GetActionPin("actions/upload-artifact") to compute the expected reference/SHA for the assertion so the test remains valid across pin updates.
See below for a potential fix:
uploadArtifactPin := GetActionPin("actions/upload-artifact")
expectedComponents := []string{
"name: Upload threat detection log",
"if: always()",
"uses: " + uploadArtifactPin,
lpcox
added a commit
that referenced
this pull request
Feb 27, 2026
…18617) * Initial plan * Add payload path prefix and size threshold to MCP gateway config Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Add tests and documentation for new MCP gateway payload fields Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Fix Codex engine test to include payloadSizeThreshold field Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Update golden files for MCP gateway payload fields Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Update PR title and description for MCP gateway payload configuration Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Add repos and min-integrity as flat fields to github tool config Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Revert "Add repos and min-integrity as flat fields to github tool config" This reverts commit edf34c1. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Fix redundant comma handling logic in MCP gateway JSON renderer Remove the always-true needsComma variable and simplify each optional field to unconditionally prepend a comma, since apiKey always precedes them without a trailing comma. Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Update wasm golden test files after MCP Gateway payload config changes (#18728) * Initial plan * Initial plan: update wasm golden test files Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Update wasm golden test files to fix build-wasm CI failure Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Fix failing action pin tests by adding missing hardcoded pin entries (#18735) * Initial plan * Fix action_pins tests: add missing checkout@v5.0.1, setup-dotnet@v4.3.1, upload-artifact@v5.0.0 entries Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> * Update action SHA pins in tests to match latest action_pins.json (#18742) * Initial plan * Fix failing tests by updating action SHA pins to latest versions Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --------- Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com> Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Co-authored-by: Landon Cox <landon.cox@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
action_pins.jsonwas updated with newer action versions, but test assertions still expected the old commit SHAs. SinceGetActionPin()always returns the latest version for a given repo, compiled workflows now emit the new SHAs, causing test failures.Updated SHA pins
actions/setup-pythonastral-sh/setup-uvactions/setup-dotnetactions/setup-javaactions/setup-goactions/upload-artifactactions/download-artifactFiles updated
runtime_setup_test.go— setup-python, setup-uv, setup-dotnet, setup-java, setup-gosafe_output_helpers_test.go— download-artifactcompile_outputs_pr_test.go— download-artifactcompiler_artifacts_test.go— upload-artifactgit_patch_test.go— upload-artifactmcp_logs_upload_test.go— upload-artifactthreat_detection_test.go— upload-artifactWarning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha se 7214521/b050/vet.cfg .cfg(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha g/workflow/action_reference.go g/workflow/action_reference_test.go g/workflow/action_resolver.go g/workflow/actiogit g/workflow/actiorev-parse g/workflow/actio--show-toplevel g/workflow/action_sha_checker_test.go g/wo�� g/workflow/activation_checkout_test.go g/workflow/activation_outputs_always_declared_test.go 64/pkg/tool/linux_amd64/compile --noprofile(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-ha�� ithub/workflows/agent-performance-analyzer.md l e/git GOINSECURE GOMOD GOMODCACHE e/git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel 6Mk5UnoxiiVu1URXgQ/xwjGF80QF2-TIF53mZ8a/jAvp_yfng8--Ee0ussmO 1/x64/bin/node se 7214521/b164/vetrev-parse 2812267e2d3bc1ce--show-toplevel git ance�� HEAD ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 1/x64/bin/node --noprofile(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3606-37778/test-1956008401/.github/workflows GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha n_reference.go n_reference_test.go x_amd64/vet n_resolver_test.head n_sha_checker.go-10 n_sha_checker_integration_test.g-unreachable=false x_amd64/vet n_sh�� ation_checkout_test.go ation_outputs_always_declared_test.go x_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --noprofile(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 57 --log-level /home/REDACTED/go/bin/bash --log-target journal-or-kmsg(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --abbrev-ref HEAD kflow.test(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --verify claude/update-payload-paths-and-size-control ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -stringintconv -tests /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --verify claude/update-payload-paths-and-size-control 1/x64/bin/bash(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --verify .cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -stringintconv -tests /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --verify claude/update-payload-paths-and-size-control ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet ache/node/24.13.1/x64/bin/node path.sh' ':::/usgit /tmp/go-build216rev-parse ache/go/1.25.0/x--show-toplevel git _cod�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 64/bin/git -bool -buildtags /home/REDACTED/.lo--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0500453/b291/vet.cfg GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --verify claude/update-payload-paths-and-size-control 86_64/bash(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet n-dir/bash path.sh' ':/usr/git /tmp/go-build216rev-parse ache/go/1.25.0/x--show-toplevel git _cod�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/cgo ache/node/24.13.1/x64/bin/node -bool -buildtags /home/REDACTED/wor--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha vaScript2565171792/001/test-frontmatter-with-env-template-expressions.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env runs/20260227-193606-37778/test-3659415974/.github/workflows GO111MODULE 0500453/b273/vet.cfg l GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go Action pins syngit GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� y-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path d7ab9ec12dbe903eGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE env 4095005/b407/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/styl-c GOMODCACHE go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel 64/pkg/tool/linu-ifaceassert /usr/bin/git g/workflow/activgit .cfg 64/pkg/tool/linu--show-toplevel git s --show-toplevel(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git get --local 64/pkg/tool/linu--show-toplevel git s --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --abbrev-ref HEAD .cfg git(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE s9ZXZGY/X4XoDkfiiEtxJ64HjgrP env 1627865831/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD erignore ache/go/1.25.0/xGO111MODULE env 4095005/b417/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build1940500453/b381/cli.test /tmp/go-build1940500453/b381/cli.test -test.testlogfile=/tmp/go-build1940500453/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env e=false GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 4095005/b402/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.