Peel annotated tags to commit SHA when pinning gh-aw-actions references

[Copilot]

gh aw compile was emitting the annotated tag object SHA instead of the underlying commit SHA for github/gh-aw-actions pins, causing Renovate to repeatedly rewrite the same references (the version comment stays the same, only the SHA differs).

For github/gh-aw-actions@v0.68.1, the GitHub API's /git/ref/tags/{tag} returns two distinct SHAs:

• 2fe53acc... — annotated tag object (what the compiler was emitting)
• ea222e35... — peeled commit SHA (what Renovate expects)

Changes

• pkg/workflow/action_resolver.go — Changed the jq query from .object.sha to [.object.sha, .object.type] | @tsv. Uses an iterative peel loop (depth cap: 10) to handle chained tag objects, with a fresh 30 s timeout per peel API call. Extracts the parsing logic into an exported ParseTagRefTSV helper that validates both length and hex characters via gitutil.IsHexString.

• pkg/cli/update_actions.go — Same fix in getActionSHAForTag, using workflow.ParseTagRefTSV and the same iterative peel loop to avoid duplication and handle chained tag objects.

• pkg/workflow/action_resolver_test.go — TestParseTagRefTSV covers lightweight tags (type=commit), annotated tags (type=tag, must peel), and error cases (empty input, missing separator, empty type, short SHA, non-hex SHA).

# Before (annotated tag object SHA — churns with Renovate)
uses: github/gh-aw-actions/setup@2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc # v0.68.1

# After (peeled commit SHA — stable, matches Renovate)
uses: github/gh-aw-actions/setup@ea222e359276c0702a5f5203547ff9d88d0ddd76 # v0.68.1

[Copilot]

Pull request overview

Updates action tag resolution so gh aw compile and gh aw update-actions emit the peeled commit SHA (not the annotated tag object SHA) when pinning uses: owner/repo@... references, preventing Renovate churn.

Changes:

• Fetches both tag object SHA and object type from the GitHub API ([.object.sha, .object.type] | @tsv) to detect annotated tags.
• Adds workflow.ParseTagRefTSV helper and uses it in both compile-time and update-time tag resolution.
• Adds unit tests for ParseTagRefTSV covering valid and malformed TSV outputs.

Show a summary per file

File	Description
pkg/workflow/action_resolver.go	Adds TSV parsing helper and peels annotated tags to commit SHAs during action SHA resolution.
pkg/cli/update_actions.go	Applies the same annotated-tag peeling behavior when updating pinned action SHAs.
pkg/workflow/action_resolver_test.go	Adds unit tests for TSV parsing behavior used by the tag resolver.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 6

[Copilot]

ParseTagRefTSV claims the SHA is “40 hex characters” but only checks length. This can accept non-hex values and also makes the error message inaccurate. Consider validating with gitutil.IsHexString (or equivalent) and returning an error when non-hex characters are present.

[Copilot]

The annotated-tag peel call only queries .object.sha from /git/tags/{sha}. Git tag objects can themselves point to another tag object (object.type == "tag"), in which case this logic would still return a tag object SHA rather than a commit SHA. Consider querying both .object.sha and .object.type here as well and iterating (with a small depth cap) until the object type is no longer "tag".

[Copilot]

Both GitHub API calls share the same 30s context timeout. If the first call uses most of the budget, the peel request can time out even when GitHub is healthy. Consider using a fresh timeout for the peel request (or increasing the overall budget to account for up to two API calls).

Suggested change

	cmd2 := ExecGHContext(ctx, "api", tagPath, "--jq", ".object.sha")
	peelCtx, peelCancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer peelCancel()
	cmd2 := ExecGHContext(peelCtx, "api", tagPath, "--jq", ".object.sha")

[Copilot]

Peeling annotated tags fetches only .object.sha from /git/tags/{sha}; tag objects may reference other tag objects (object.type == "tag"), so this can still return a tag object SHA instead of a commit SHA. Consider fetching both sha+type and iterating (with a depth cap) until the type is not "tag".

Suggested change

	// Annotated tags point to a tag object, not directly to a commit.
	// Peel the tag object to get the underlying commit SHA so that
	// emitted action pins use the stable commit SHA rather than the
	// mutable tag object SHA (which changes when the tag is re-created).
	if objType == "tag" {
	updateLog.Printf("Detected annotated tag for %s@%s (tag object SHA: %s), peeling to commit SHA", repo, tag, sha)
	output2, err := workflow.RunGHContext(ctx, "Peeling annotated tag...", "api", fmt.Sprintf("/repos/%s/git/tags/%s", repo, sha), "--jq", ".object.sha")
	if err != nil {
	return "", fmt.Errorf("failed to peel annotated tag: %w", err)
	}
	sha = strings.TrimSpace(string(output2))
	if len(sha) != 40 {
	return "", fmt.Errorf("invalid peeled SHA format: expected 40 hex characters, got %d (%s)", len(sha), sha)
	}
	updateLog.Printf("Peeled annotated tag %s@%s to commit SHA: %s", repo, tag, sha)
	// Annotated tags can point to another tag object rather than directly to
	// a commit. Iteratively peel until we reach a non-tag object so that
	// emitted action pins use the stable underlying object SHA rather than a
	// mutable tag object SHA.
	if objType == "tag" {
	const maxTagPeelDepth = 10
	updateLog.Printf("Detected annotated tag for %s@%s (tag object SHA: %s), peeling to underlying object SHA", repo, tag, sha)
	for depth := 0; objType == "tag"; depth++ {
	if depth >= maxTagPeelDepth {
	return "", fmt.Errorf("failed to peel annotated tag: exceeded max depth %d for %s@%s", maxTagPeelDepth, repo, tag)
	}
	output2, err := workflow.RunGHContext(
	ctx,
	"Peeling annotated tag...",
	"api",
	fmt.Sprintf("/repos/%s/git/tags/%s", repo, sha),
	"--jq",
	"[.object.sha, .object.type] | @tsv",
	)
	if err != nil {
	return "", fmt.Errorf("failed to peel annotated tag: %w", err)
	}
	sha, objType, err = workflow.ParseTagRefTSV(string(output2))
	if err != nil {
	return "", fmt.Errorf("failed to parse peeled tag API response for %s@%s: %w", repo, tag, err)
	}
	if len(sha) != 40 {
	return "", fmt.Errorf("invalid peeled SHA format: expected 40 hex characters, got %d (%s)", len(sha), sha)
	}
	}
	updateLog.Printf("Peeled annotated tag %s@%s to %s SHA: %s", repo, tag, objType, sha)

[Copilot]

The peeled SHA validation only checks length. To match the error message (“40 hex characters”) and to avoid accepting invalid output, validate the peeled SHA with gitutil.IsHexString (or equivalent) in addition to length.

Suggested change

	if len(sha) != 40 {
	if len(sha) != 40 || !gitutil.IsHexString(sha) {

[Copilot]

The test doc comment refers to parseTagRefTSV (unexported) but the helper is ParseTagRefTSV. Updating the comment will avoid confusion when searching for the helper name.

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	1 (table-driven, 7 sub-cases)
✅ Design tests (behavioral contracts)	1 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	1 (100%) — 4 error cases + 1 edge case
Duplicate test clusters	0
Test inflation detected	⚠️ Borderline (90 lines added to test / 44 to production = 2.05:1, just over 2:1 threshold)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestParseTagRefTSV	pkg/workflow/action_resolver_test.go:114	✅ Design	None — excellent behavioral coverage across 7 table cases

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 test function (unit, //go:build !integration) — 7 table-driven sub-cases
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Analysis Notes

TestParseTagRefTSV is a well-structured table-driven test that directly enforces the behavioral contract of the newly introduced ParseTagRefTSV function. The test verifies:

• Happy paths: lightweight tag (commit type) and annotated tag (tag type) are parsed correctly, returning the expected SHA and object type
• Edge case: input without a trailing newline is handled correctly
• Error paths: empty input, missing tab separator, empty type field, and short/invalid SHA are all rejected with the expected error message substrings

Each t.Errorf call includes the input value in the format string (e.g., ParseTagRefTSV(%q): expected error, got nil), providing enough context to diagnose failures without a separate message argument.

Minor observation: The test uses stdlib t.Errorf assertions rather than testify (assert.* / require.*). The project guidelines prefer testify-style assertions with descriptive message arguments. The stdlib form works correctly here, but future test additions to this file should use assert.NoError(t, err, "message") / assert.Equal(t, want, got, "message") for consistency with the rest of the codebase.

Test inflation note: The 90/44 line ratio (2.05:1) technically exceeds the 2:1 threshold. However, this is clearly legitimate: the production code adds one focused parsing function (ParseTagRefTSV, ~25 effective lines) while the test exercises 7 distinct input scenarios with full error assertions. No remediation needed.

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). The single new test function (TestParseTagRefTSV) is a high-value design test that directly verifies the parsing behavioral contract — including four error paths — making it an excellent safety net for the annotated-tag peeling feature.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24474969198

🧪 Test quality analysis by Test Quality Sentinel · ● 504.9K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). The new TestParseTagRefTSV table-driven test provides strong behavioral coverage including 4 error paths and 1 edge case for the annotated-tag peeling logic.

[github-actions]

Commit pushed: 6a56ab8

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (159 new lines across pkg/workflow/ and pkg/cli/) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/26482-peel-annotated-tags-to-commit-sha.md

The draft captures the key decision: using a two-call API strategy to peel annotated Git tags to their underlying commit SHA, including the introduction of the shared ParseTagRefTSV helper. Please review and complete it before merge.

What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff
2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and confirm/expand the alternatives you considered
3. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-26482: Peel Annotated Git Tags to Commit SHA

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 26482-peel-annotated-tags-to-commit-sha.md for PR #26482).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24474969210

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• Peel annotated tags to commit SHA when pinning gh-aw-actions references #26482 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 214.8K · ◷

[pelikhan]

@copilot merge main and recompile

[github-actions]

Great work on this fix, @Copilot! 🎉 Resolving the annotated-tag-vs-commit-SHA mismatch is exactly the kind of precise, root-cause fix that keeps Renovate stable and lock files clean.

The PR is well-structured: the bug is clearly explained with the two distinct SHAs, the ParseTagRefTSV helper is properly exported and unit-tested (including error cases), the fix is applied symmetrically across both the compiler path and update_actions, and an ADR is included. This looks ready for maintainer review! ✅

Generated by Contribution Check · ● 1.2M · ◷

[Copilot]

@copilot merge main and recompile

Main was already merged into this branch (commit 3e8a107). Ran make recompile — no workflow lock files changed.

Also addressed the pending code review feedback in 91932a3:

• ParseTagRefTSV now validates hex characters via gitutil.IsHexString (not just length)
• Both resolveFromGitHub and getActionSHAForTag use an iterative peel loop (depth cap 10) to handle chained tag objects
• Each peel API call in resolveFromGitHub gets a fresh 30 s timeout
• Test doc comment updated (parseTagRefTSV → ParseTagRefTSV); added non-hex SHA test case

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq [.object.sha, .object.type] | @tsv (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq [.object.sha, .object.type] | @tsv ACCEPT (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq [.object.sha, .object.type] | @tsv INVALID,NEW -j DROP (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv get --local /opt/hostedtoolcache/uv/0.11.6/x86_64/git commit.gpgsign (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv ithub/workflows (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)