Apply container digest pinning during gh aw update and include container pins in frontmatter hash computation

[Copilot]

Compiled lock workflows were not reliably updated to use newly resolved container digests during gh aw update; pin data could be written to actions-lock.json without being reflected in .lock.yml outputs in the same run.

• Update flow now applies container pins to lock files immediately

  • RunUpdateWorkflows now consumes whether UpdateContainerPins produced new pins.
  • When pins change (and --no-compile is not set), update triggers recompilation of workflows that already have lock files, so lock outputs pick up image@sha256:... references in the same command execution.

• Container pin API adjusted for orchestration

  • UpdateContainerPins now returns (pinsUpdated bool, err error) instead of only error.
  • upgrade path was updated to match the new signature with no behavior change beyond compatibility.

• Deterministic workflow selection for recompilation

  • Added helper logic to find .md workflows with matching .lock.yml files and recompile them in sorted order.
  • Keeps scope tight to workflows already managed as compiled lock artifacts.

• Compile hash now reflects relevant container digest pins

  • Frontmatter hash computation now incorporates relevant container pin entries from .github/aw/actions-lock.json for container images declared in workflow tool config.
  • This ensures compile-time staleness detection and lock metadata reflect container pin changes.
  • Added parser tests to verify hash changes when relevant pins change and remains stable for unrelated pin updates.

• Focused coverage for lock/workflow pairing

  • Added tests for selecting only markdown workflows that have corresponding lock files and for stable ordering.

pinsUpdated, err := UpdateContainerPins(ctx, workflowsDir, verbose)
if err != nil {
    // warn and continue
} else if pinsUpdated && !noCompile {
    _ = recompileWorkflowsForContainerPins(workflowsDir, engineOverride, verbose)
}

> [!WARNING]
>
>

[pelikhan]

@copilot build and run update

[Copilot]

@copilot build and run update

Built successfully with make build and ran ./gh-aw update --dir /tmp/gh-aw-update-smoke/.github/workflows against commit 781d14f. The update command completed (exit 0), reported no workflows found with source field, and no repo files changed.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions-ecosystem/action-add-labels/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions-ecosystem/action-add-labels/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/ai-inference/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/attest-build-provenance/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/attest-build-provenance/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/cache/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/cache/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/checkout/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/create-github-app-token/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/create-github-app-token/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/download-artifact/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/github-script/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/setup-dotnet/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-dotnet/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/setup-go/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/setup-java/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-java/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/setup-node/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/setup-python/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-python/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/actions/upload-artifact/releases
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/anchore/sbom-action/releases
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/astral-sh/setup-uv/releases
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/releases --jq .[].tag_name ns.json..." (http block)
• https://api.github.com/repos/cli/gh-extension-precompile/releases
  • Triggering command: /usr/bin/gh gh api /repos/cli/gh-extension-precompile/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/denoland/setup-deno/releases
  • Triggering command: /usr/bin/gh gh api /repos/denoland/setup-deno/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/docker/build-push-action/releases
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/docker/login-action/releases
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/docker/metadata-action/releases
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/docker/setup-buildx-action/releases
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/erlef/setup-beam/releases
  • Triggering command: /usr/bin/gh gh api /repos/erlef/setup-beam/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/github/codeql-action/git/ref/tags/v4.35.2
  • Triggering command: /usr/bin/gh gh api /repos/github/codeql-action/git/ref/tags/v4.35.2 --jq [.object.sha, .object.type] | @tsv (http block)
• https://api.github.com/repos/github/stale-repos/releases
  • Triggering command: /usr/bin/gh gh api /repos/github/stale-repos/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/haskell-actions/setup/releases
  • Triggering command: /usr/bin/gh gh api /repos/haskell-actions/setup/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/microsoft/apm-action/releases
  • Triggering command: /usr/bin/gh gh api /repos/microsoft/apm-action/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/oven-sh/setup-bun/releases
  • Triggering command: /usr/bin/gh gh api /repos/oven-sh/setup-bun/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/ruby/setup-ruby/releases
  • Triggering command: /usr/bin/gh gh api /repos/ruby/setup-ruby/releases --jq .[].tag_name (http block)
• https://api.github.com/repos/super-linter/super-linter/releases
  • Triggering command: /usr/bin/gh gh api /repos/super-linter/super-linter/releases --jq .[].tag_name (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot compile should resolve container pins. The container pins should be part of the frontmatter hash computation.

[pelikhan]

@copilot use container syntax image@sha256: when digest available

[Copilot]

Pull request overview

Ensures gh aw update immediately applies newly resolved container image digest pins to compiled .lock.yml workflows by recompiling affected workflows during the same run.

Changes:

• Updated UpdateContainerPins to return whether pins were updated ((bool, error)) and adapted callers.
• Added an update flow step to recompile workflows that already have .lock.yml files when container pins change.
• Added unit tests covering discovery and deterministic ordering of workflow/lock pairs for recompilation.

Show a summary per file

File	Description
pkg/cli/upgrade_command.go	Updates the upgrade flow to match the new UpdateContainerPins return signature.
pkg/cli/update_container_pins.go	Changes UpdateContainerPins to return whether any new container pins were added.
pkg/cli/update_command.go	Recompiles workflows with existing lock files when container pins change; adds workflow/lock pairing helper.
pkg/cli/update_command_container_pins_test.go	Adds tests for workflow selection and stable ordering for recompilation.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/6 changed files
• Comments generated: 1

[Copilot]

recompileWorkflowsForContainerPins returns immediately on the first compilation error, which can leave remaining workflows with existing lock files un-recompiled (and therefore not updated to use the newly pinned image digests) in the same gh aw update run. Consider continuing through all workflows, collecting failures, and returning a combined error (or logging per-workflow warnings) so one bad workflow doesn't prevent pins being applied everywhere.

Suggested change

	for _, workflowFile := range workflowFiles {
	quiet := false
	refreshStopTime := false
	if err := compileWorkflowWithRefresh(workflowFile, verbose, quiet, engineOverride, refreshStopTime); err != nil {
	return fmt.Errorf("failed to recompile %s after updating container pins: %w", filepath.Base(workflowFile), err)
	}
	}
	var failures []string
	for _, workflowFile := range workflowFiles {
	quiet := false
	refreshStopTime := false
	if err := compileWorkflowWithRefresh(workflowFile, verbose, quiet, engineOverride, refreshStopTime); err != nil {
	failures = append(failures, fmt.Sprintf("%s: %v", filepath.Base(workflowFile), err))
	}
	}
	if len(failures) > 0 {
	return fmt.Errorf("failed to recompile workflows after updating container pins: %s", strings.Join(failures, "; "))
	}

[Copilot]

@copilot compile should resolve container pins. The container pins should be part of the frontmatter hash computation.

Implemented in d4be848 (main behavior introduced in 9a7fa71): frontmatter hash computation now includes relevant container pins from .github/aw/actions-lock.json for container images declared in workflow tools, and parser tests verify hash changes for relevant pin updates while staying stable for unrelated pins.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env rity49730559/001 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env -json GO111MODULE 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build169272378/b390/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/internal/tools/actions-build/main.go node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/go-build169272378/b070/gh-aw.test go (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ithub/workflows show ml l iles,SysoFiles,C-c ndor/bin/git /usr/bin/gh /pre�� k/gh-aw/gh-aw/.github/workflows -f /sh -f owner=github -f git (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git r.lock.yml --show-toplevel /opt/hostedtoolc-atomic /usr/bin/git git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv -v go /usr/bin/git -json GO111MODULE 64/bin/go git merg�� -L current (local changes) /usr/bin/git base (original) -L new (upstream) git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git LsRemoteWithRealgit LsRemoteWithRealrev-parse kflows/smoke-ci.--show-toplevel git rev-�� --show-toplevel git /usr/bin/git y_only_defaults_node show ode git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel bash /usr/bin/git itcustom_branch2git itcustom_branch2rev-parse /usr/bin/grep git rev-�� --git-dir resolved$ /usr/bin/git y_only_defaults_node git o-identifier.locinstall git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260422-040752-25139/test-86814404 show /usr/bin/git echo "��� JavaScgit sh 64/bin/go git conf�� --get remote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv user.email url /usr/bin/git k/gh-aw/gh-aw/.ggit show modules/@npmcli/--show-toplevel git init�� $name) { has-bool (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyTrustedUsersRequiresMinIntegrity2592725551/001 config om/owner/repo.git remote.origin.urgit git repository(owne--show-toplevel git init�� /usr/bin/git git /opt/hostedtoolcache/node/24.14.1/x64/bin/node --show-toplevel git anges-analyzer.l--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 851/001/stability-test.md sRemoteWithRealGitcustom_branch599250245/002/work _.a GOINSECURE GOMOD GOMODCACHE go env ApprovalLabelsCompiledOutput2919913351/001 GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE ache/go/1.25.8/x: git rev-�� --show-toplevel go /usr/bin/git ons/secrets GO111MODULE cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel go 1/x64/bin/npm GOROOT GOPROXY /usr/bin/git 1/x64/bin/npm rev-�� --show-toplevel git /usr/bin/git -m initial commit /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv sistency_InlinedOUTPUT config /usr/bin/git remote.origin.urgit lint:cjs 64/bin/go git rev-�� --show-toplevel sh /opt/hostedtoolcDROP "prettier" --chegit node 64/bin/go node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --objects --stdin /usr/bin/git --exclude-hiddengit --all --quiet git rev-�� --show-toplevel CtXZW9FVTgXI /usr/bin/git yphen2572196464/git yphen2572196464/rev-parse eeee62bff638e104--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /usr/bin/git git /opt/hostedtoolcache/node/24.14.1/x64/bin/node --show-toplevel git 1/x64/bin/bash node /tmp�� /tmp/TestHashConsistency_KeyOrdering3496976111/001/test2.md git /usr/bin/git --show-toplevel infocmp /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 0752-25139/test-git GO111MODULE ache/go/1.25.8/x-b git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE e/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv -v l /usr/bin/git te '**/*.cjs' '*git rev-parse cfg git rev-�� --show-toplevel l (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git inspect semgrep/semgrep:checkout At,event,headBra-b git rev-�� --show-toplevel docker (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --cGOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK run-script/lib/n-json node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� REDACTED.os go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git k/gh-aw/gh-aw/.ggit show /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 9/001/test-emptygit rev-parse kflows/repo-audi--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git k/gh-aw/gh-aw/.ggit git x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git ithub/workflows git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/archie.md go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� github.event.inputs.branch go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --git-dir git /usr/bin/git k/gh-aw/gh-aw/.ggit piler}} x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git k/gh-aw/gh-aw/.ggit config /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git ithub/workflows git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv GOMODCACHE go 272378/b446/vet.cfg u4C4/0dcmePXImnagit GO111MODULE 64/bin/go git -C runs/20260422-040752-25139/test-3794489035 rev-parse /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet 6267446/b349/embgit GOPROXY 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/api-consumption-report.md -buildtags ache/node/24.14.1/x64/bin/node -errorsas -ifaceassert -nilfunc ache/node/24.14.remote.origin.url 2248�� -stringintconv -tests /usr/bin/gh ithub/workflows config r.lock.yml gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -aw/git/ref/tags/v1.2.3 git bject.type] | @tsv --show-toplevel git $name) { has--show-toplevel infocmp -1 xterm-color git Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --show-toplevel /usr/bin/git repository(owne--show-toplevel gh (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv --count c672add3..HEAD $name) { hasDiscussionsEnabled } } README.md ion-test..token-config es/.bin/git git rev-�� HEAD c672add3..HEAD n-dir/node token-test.txt (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv c672add3..HEAD --stdout modules/@npmcli/run-script/lib/node-gyp-bin/go ion-test..token-/bin/sh git odules/npm/node_git commit -m 'Initial commit' git rev-�� HEAD c672add3..HEAD tions/setup/node_modules/.bin/node -m (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv --show-toplevel nly $name) { hasDiscussionsEnabled } } --get remote.origin.ur--norc /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git test.txt git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/gh -json GO111MODULE 64/bin/go gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel infocmp /usr/bin/git k/gh-aw/gh-aw GoFiles,IgnoredGrev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git report.md show 86_64/sh git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel git maintainer.lock.--show-toplevel git conf�� --get remote.origin.url /usr/bin/git k/gh-aw/gh-aw git kflows/daily-cod--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv GOMODCACHE go /usr/bin/git -json GO111MODULE 64/bin/go git conf�� user.name Test User mple.com/org/repo.git --check **/*.cjs 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv xterm-color /usr/bin/gh /opt/hostedtoolcache/node/24.14.--limit ithub/workflows -f /usr/bin/git node /tmp�� /tmp/TestHashStability_SameInputSameOutput3519272946/001/stability-test.md git /usr/bin/git ath ../../../.prgit config er: String!, $na--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJa--workflow git /usr/bin/git --show-toplevel e/git 64/bin/bash git -C /tmp/gh-aw-test-runs/20260422-041252-47726/test-2582167773/.github/workflows remote /usr/bin/git --show-toplevel /usr/bin/git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ErrorFormatting1735795063/001 my-default 272378/b455/vet.cfg l GO111MODULE 64/bin/go git init�� GOMODCACHE l /usr/bin/git --check **/*.cjs 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-add-gv1.0.0 remote /usr/bin/git ithub/workflows docker.io/mcp/br-C (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/artifacts-summary.md config ache/node/24.14.1/x64/bin/node remote.origin.urgit git n-dir/bash ache/node/24.14.1/x64/bin/node s-96�� b.actor }}, Repo: ${{ github.repository }} git /usr/bin/git --show-toplevel infocmp /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name rev-parse ache/node/24.14.1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh test-ymISxE/compgit forks.js erignore gcc -###�� te '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas c /usr/local/bin/bash - git repository(owne--show-toplevel bash (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env edOutput1468743715/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 mLsRemoteWithRealGitbranch_with_hyphen901000948/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name ctions-build/main.go a13e7d2f5479540bc7acf55ba7bba16987a2cd788766c0d2df6d858b66815938-d remote.origin.urgit git l /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/asm -V=f�� rite '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ache/node/24.14.config ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet it k/gh-aw/gh-aw/acrev-parse l-instrumentatio--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name itbranch_with_hyphen901000948/002/work 64/bin/go GOINSECURE GOMOD GOMODCACHE go env edOutput1468743715/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name show cfg 0752247/b001/exegit git oken-audit.lock.--show-toplevel go list�� RequiresMinIntegrity1519993283/001 -json ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet 0752247/b001/_pkgit git ck.yml ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ions-build/main.go GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3796947674 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name config k/gh-aw/gh-aw/node_modules/.bin/sh remote.origin.urgit forks.js erignore go xpor�� 1139-39825/test-3370535310 -json=Name,ImportPath,Error,Dir,GoFiles,IgnoredGoFiles,IgnoredOt-w /home/REDACTED/work/_temp/uv-python-dir/bash -test=false -export=true -deps=true bash (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ole.test GOINSECURE GOMOD GOMODCACHE ole.test (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name config k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/sh remote.origin.urgit forks.js erignore go list�� te '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' ---errorsas -json=Name,ImportPath,Error,Dir,GoFiles,IgnoredGoFiles,IgnoredOt-ifaceassert /usr/sbin/bash -test=false -export=true -deps=true bash (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name LsRemoteWithRealGitbranch_with_hyphen901000948/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3796947674 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name show k/gh-aw/gh-aw/actions/setup/node_modules/.bin/sh ithub/workflows forks.js erignore go list�� 1139-39825/test-3370535310 -f /usr/bin/bash -- unsafe repository(owne--show-toplevel bash (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3796947674 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name rev-parse k/gh-aw/gh-aw/actions/node_modules/.bin/sh ithub/workflows forks.js erignore go list�� 1139-39825/test-3370535310 {{context.GOARCH}} {{context.Compiler}} ache/node/24.14.1/x64/bin/node unsafe git urity-red-team.l-v tail (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build169272378/b392/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/internal/tools/generate-action-metadata/main.go node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env ut3939701366/001 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build169272378/b404/cli.test /tmp/go-build169272378/b404/cli.test -test.testlogfile=/tmp/go-build169272378/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE node /opt�� run lint:cjs 64/bin/go GOSUMDB GOWORK 64/bin/go sh (http block)
  • Triggering command: /tmp/go-build762676674/b404/cli.test /tmp/go-build762676674/b404/cli.test -test.testlogfile=/tmp/go-build762676674/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true c672add3..HEAD --quiet ed } } gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq ge-issues.lock.yml --count c672add3..HEAD $name) { hasnpx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path git (http block)
  • Triggering command: /tmp/go-build1498084757/b404/cli.test /tmp/go-build1498084757/b404/cli.test -test.testlogfile=/tmp/go-build1498084757/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel 64/pkg/tool/linu-1 /usr/bin/infocmpxterm-color git rev-�� --show-toplevel infocmp /usr/bin/git xterm-color git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linu/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/gh /home/REDACTED/worgit ctionpins.go in/node gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts /usr/bin/git .artifacts[].namls show k/gh-aw/gh-aw/ac/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel docker /usr/bin/gh k/gh-aw/gh-aw/.ggit ghcr.io/github/srev-parse /usr/bin/git gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts /usr/bin/git .artifacts[].namls config /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env /ref/tags/v9 GO111MODULE sv GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv ../pkg/workflow/js/**/*.json' ---s GoFiles,IgnoredGoFiles,IgnoredOt-w n-dir/bash l --stdout r: $owner, name:REDACTED.os git -C k/gh-aw/gh-aw/.github/workflows config tions/setup/node_modules/.bin/node remote.origin.urgit tions/setup/js/nconfig r: $owner, name:--get git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows git ock.yml --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� k/gh-aw/gh-aw/.github/workflows git me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } l node DiscussionsEnablremove /usr/bin/git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv js/**/*.json' --ignore-path ../../../.prettierignore oFiles,IgnoredOtherFiles,CFiles,CgoFiles,CXXFiles,MFiles,HFiles,FFiles,SFiles,SwigFiles,SwigCXXFrev-parse /usr/bin/infocmp l --quiet k/_temp/uv-pytho/tmp/TestHashStability_SameInputSameOutput3519272946/001/stability-test.md infocmp -1 ex-frontmatter-with-tools.md node /usr/bin/git l git it git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel /opt/hostedtoolc-1 /usr/bin/git git rev-�� --show-toplevel git me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel sh /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE find (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env lGitmain_branch998247765/001' lGitmain_branch998247765/001' 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv js/**/*.json' ---errorsas git /usr/bin/git --verify l x_amd64/link git 2934�� k/gh-aw/gh-aw/.github/workflows show nt-all-merged.lock.yml 90970e657bc501cfgit git 64/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv ithub/workflows git sh --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� 13730892/001 13730892/002/work /usr/bin/git --show-toplevel 1/x64/bin/node /usr/bin/gh git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env rdian.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv b/workflows -f /usr/bin/git l owner=github -f git -C LsRemoteWithRealGitmain_branch2485096167/001' LsRemoteWithRealGitmain_branch2485096167/001' 1/x64/bin/node remote.origin.urgit --stdout yml git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv ub/workflows :latest kflows/copilot-agent-analysis.lock.yml --show-toplevel ache/go/1.25.8/xrev-parse ed } } bash --no�� ithub/workflows git kflows/daily-integrity-analysis.lock.yml --show-toplevel ache/node/24.14.remote DiscussionsEnablremove infocmp (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion -test=false -export=true -deps=true bash --no�� --noprofile pkg/repoutil/repoutil.go /home/REDACTED/work/gh-aw/gh-aw/actions/setup/node_modules/.bin/node k/gh-aw/gh-aw /home/REDACTED/worrev-parse me: String!) { --show-toplevel node (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion ature-branch.pat/usr/bin/git git /usr/bin/git /usr/bin/gh api graphql -f 1/x64/bin/node -f owner=github -f 1/x64/bin/node (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE npx pret�� --check scripts/**/*.js 64/bin/go .prettierignore GOWORK 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE y-/GGRxPSBY0iEZ4uE6LMZF/aU_P7hTnremote.origin.url env l 2>&1; then \ echo "Running wasm-opt -Oz (size optimization)..."; \ BEFORE=$(wc -c < gh-aw.wainfocmp GO111MODULE c7acf55ba7bba16987a2cd788766c0d2df6d858b66815938-d GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� --check **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti/tmp/go-build169272378/b070/_pkg_.a go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel /usr/bin/git /usr/bin/git -v go /usr/bin/git git (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 3796947674 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env test GO111MODULE rtcfg.link GOINSECURE GOMOD GOMODCACHE oSoHxTQA2N3NF7Rj1 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch /tmp/TestGuardPolicyTrustedUsersCompiledOutput869614674/001 rev-parse /usr/bin/git /home/REDACTED/worgit rev-parse -healer.lock.yml--show-toplevel git rev-�� --show-toplevel git /usr/bin/git js/**/*.json' --git show /usr/bin/infocmp--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch /usr/bin/git git /usr/bin/git --show-toplevel git repository(owne--show-toplevel git init�� /usr/bin/git git /usr/bin/git --show-toplevel git repository(owne--show-toplevel git (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� --local --get ode_modules/.bin/git -1 --format=%s /git git add . git tions/setup/node_modules/.bin/git -m Initial commit bin/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	3
✅ Design tests (behavioral contracts)	3 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	3 (100%)
Duplicate test clusters	0
Test inflation detected	No
🚨 Coding-guideline violations	None

---

Test Classification Details

View all test classifications (3 tests)

Test	File	Classification	Notes
TestWorkflowFilesForExistingLocks	pkg/cli/update_command_container_pins_test.go:14	✅ Design	Table-driven (2 subtests); covers happy path + empty/no-match edge case; all assertions have descriptive messages
TestComputeFrontmatterHash_IncludesRelevantContainerPins	pkg/parser/frontmatter_hash_test.go:258	✅ Design	Verifies hash changes when referenced container digest changes — core behavioral contract
TestComputeFrontmatterHash_IgnoresUnrelatedContainerPins	pkg/parser/frontmatter_hash_test.go:311	✅ Design	Verifies hash stability when unrelated container digests change — important negative contract

---

Flagged Tests — Requires Review

None. All tests are high-quality behavioral contracts.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 3 tests — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All 3 new tests enforce clear behavioral contracts: the workflowFilesForExistingLocks discovery function, and two complementary hash-sensitivity invariants (relevant pin changes → hash changes; unrelated pin changes → hash stable). Build tags are present, no mock libraries used, and every assertion carries a descriptive message.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24759857106

🧪 Test quality analysis by Test Quality Sentinel · ● 547.7K · ◷

[github-actions]

✅ Test Quality Sentinel: 100/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 3 new tests enforce clear behavioral contracts with proper build tags, no mock libraries, and descriptive assertion messages.

[github-actions]

---

Warning

The push_to_pull_request_branch operation failed: Failed to apply bundle. The code changes were not applied.

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (362 new lines in pkg/ directories) but does not have a linked Architecture Decision Record (ADR).

The Design Decision Gate has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/27744-apply-container-pins-during-update-via-immediate-recompile.md

What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff
2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and list real alternatives you considered
3. Commit the finalized ADR to docs/adr/ on your branch
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-27744: Apply Container Digest Pins to Lock Files Immediately During gh aw update

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

📋 What the draft ADR covers

The draft captures three interrelated decisions introduced by this PR:

1. Immediate recompile trigger — RunUpdateWorkflows now calls recompileWorkflowsForContainerPins when UpdateContainerPins reports new pins, ensuring .lock.yml outputs are updated in the same gh aw update run.
2. Scoped workflow selection — only .md workflows that already have a matching .lock.yml are recompiled, processed in sorted order for determinism.
3. Frontmatter hash includes container pins — relevant digest pins from actions-lock.json are folded into the canonical hash so that lock files are invalidated when pins change.

The draft records the API signature change to UpdateContainerPins (now (bool, error)) and its consequences for callers.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 27744-*.md for this PR).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24759857121

Caution

Security scanning requires review for Design Decision Gate 🏗️

Details

Potential security threats were detected in the agent output. The workflow output should be reviewed before merging.

Review the workflow run logs for details.

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 104.5K · ◷