Fix unpinned GitHub Actions in firewall log parsing

[Copilot]

The firewall log parsing step used a hardcoded mutable version tag (actions/github-script@v8) instead of the centrally-managed commit SHA, creating a supply chain attack vector.

Changes

• pkg/workflow/copilot_engine.go: Replace hardcoded actions/github-script@v8 with GetActionPin("actions/github-script") at line 953
• Lock files: Recompile 12 affected workflows to use pinned SHA ed597411d8f924073f98dfc5c65a23a2325f34cd

// Before
stepLines := []string{
    "      - name: Parse firewall logs for step summary",
    "        if: always()",
    "        uses: actions/github-script@v8",  // Mutable tag
    "        with:",
    "          script: |",
}

// After
stepLines := []string{
    "      - name: Parse firewall logs for step summary",
    "        if: always()",
    "        uses: " + GetActionPin("actions/github-script"),  // Immutable SHA
    "        with:",
    "          script: |",
}

This aligns firewall workflows with the existing action pinning infrastructure used throughout the codebase.

Fixes #2680

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[q] Fix zizmor warnings: Pin GitHub Actions to commit SHAs</issue_title>
<issue_description># Q Workflow Optimization Report

Issues Found (from zizmor-style analysis)

Analyzed 56 compiled agentic workflows (.lock.yml files) and identified security vulnerabilities related to unpinned GitHub Actions.

Cluster 1: Unpinned Version Tags (Medium Severity)

Risk: Supply chain attack vulnerability from mutable version tags

Affected Actions:

• actions/github-script@v8 - 15 instances across multiple workflows
• actions/ai-inference@v1 - 2 instances in issue-classifier workflow

Root Cause:

• Hardcoded version tag in pkg/workflow/copilot_engine.go line 953
• Unpinned action in shared config .github/workflows/shared/actions-ai-inference.md

Workflows Affected:

• artifacts-summary.md
• changeset-generator.firewall.md
• daily-news.md
• daily-repo-chronicle.md
• dev.firewall.md
• dictation-prompt.md
• firewall.md
• issue-classifier.md (via shared config)
• mcp-inspector.md
• notion-issue-summary.md
• research.md
• smoke-copilot.firewall.md
• smoke-copilot.md

Changes Made

1. pkg/workflow/copilot_engine.go

Change: Line 953 now uses centrally-managed action pinning

Before:

"        uses: actions/github-script@v8",

After:

"        uses: " + GetActionPin("actions/github-script"),

Benefits:

• Uses centrally-managed SHA: ed597411d8f924073f98dfc5c65a23a2325f34cd
• Automatically updates when action pins are updated in action_pins.go
• Follows existing codebase security pattern
• Eliminates mutable tag vulnerability

2. .github/workflows/shared/actions-ai-inference.md

Change: Pinned actions/ai-inference to commit SHA

Before:

uses: actions/ai-inference@v1

After:

uses: actions/ai-inference@63bd7ca53bb71a54a1e44baf4e4b5fb4d3fc2b85

Benefits:

• Eliminates supply chain attack vector
• Matches security best practices
• Affects issue-classifier workflow

Expected Improvements

• ✅ Eliminated 15+ instances of unpinned actions/github-script@v8
• ✅ Fixed unpinned actions/ai-inference@v1 in shared config
• ✅ All generated workflows now use immutable commit SHAs
• ✅ Centralized action version management

Validation

Changes compiled successfully - note that .lock.yml files will be regenerated automatically after merge via the copilot agent workflow compilation process.

Note: As per project guidelines, .lock.yml files are not included in this PR - they will be compiled automatically after merge.

Positive Findings

The codebase already demonstrates strong security practices:

• ✅ 654 instances of properly pinned actions/github-script@ed597411...
• ✅ 461 instances of properly pinned actions/upload-artifact@ea165f8d...
• ✅ 301 instances of properly pinned actions/download-artifact@634f93cb...
• ✅ Zero pull_request_target or workflow_run triggers
• ✅ No template injection vulnerabilities
• ✅ No shell injection risks
• ✅ Minimal permissions following least-privilege principles

Security Impact

Before: Good security posture with 20 unpinned actions
After: Excellent - all generated actions properly pinned to commit SHAs

This PR addresses the remaining vulnerabilities in the automated workflow generation system and ensures all future compiled workflows use immutable action references.

References

• Analysis documents: Saved in /tmp/gh-aw/cache-memory/
  • zizmor-analysis.md - Detailed findings
  • zizmor-solutions.md - Solution approaches
  • zizmor-fix-plan.md - Implementation plan
• Related issue: Zizmor status #2680

AI generated by Q

---

[!NOTE]
This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download patch artifact

The patch file is available as an artifact (aw.patch) in the workflow run linked above.
To apply the patch locally:

# Download the artifact from the workflow run https://github.com/githubnext/gh-aw/actions/runs/18874390713
# (Use GitHub MCP tools if gh CLI is not available)
gh run download 18874390713 -n aw.patch
# Apply the patch
git am aw.patch

Show patch (50 lines)

From 2dcd6c9fe877007b64dfce17870d2e3ebb9339b4 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 28 Oct 2025 12:23:52 +0000
Subject: [PATCH] fix: pin GitHub Actions to commit SHAs to address zizmor
 warnings

- Update copilot_engine.go to use GetActionPin() for github-script action
- Pin actions/ai-inference to commit SHA in shared config
- Addresses supply chain attack vulnerability from mutable version tags

Fixes unpinned actions detected in zizmor analysis:
- action...

</details>

- Fixes githubnext/gh-aw#2685

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for you](https://github.com/githubnext/gh-aw/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull Request Overview

This PR addresses security vulnerabilities identified by zizmor analysis by pinning GitHub Actions to commit SHAs instead of using mutable version tags. The main change updates the copilot engine to use centrally-managed action pinning for the actions/github-script action, eliminating supply chain attack vectors across 15+ generated workflow files.

Key changes:

• Updated copilot_engine.go to use GetActionPin("actions/github-script") instead of hardcoded @v8 tag
• All affected .lock.yml workflow files now reference the pinned SHA ed597411d8f924073f98dfc5c65a23a2325f34cd

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.

File	Description
pkg/workflow/copilot_engine.go	Updated firewall log parsing step to use centrally-managed action pinning
.github/workflows/*.lock.yml (13 files)	Auto-generated workflow files updated with pinned SHA for github-script action

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Agentic Changeset Generator triggered by this pull request.