Skip to content

fix: add digest pins for gh-aw-mcpg:v0.3.0 and github-mcp-server:v1.0.3#28837

Merged
pelikhan merged 3 commits intomainfrom
copilot/review-container-version-downloads
Apr 28, 2026
Merged

fix: add digest pins for gh-aw-mcpg:v0.3.0 and github-mcp-server:v1.0.3#28837
pelikhan merged 3 commits intomainfrom
copilot/review-container-version-downloads

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 28, 2026

Summary

Reviewing the referenced CI run (#step:26:1) revealed that two currently-default container images lacked digest pins in the container registry:

  • ghcr.io/github/gh-aw-mcpg:v0.3.0 (DefaultMCPGatewayVersion)
  • ghcr.io/github/github-mcp-server:v1.0.3 (DefaultGitHubMCPServerVersion)

Without digest pins, the "Download container images" step downloads these by mutable tag only — not supply-chain safe and not reproducible.

Changes

  • Added digest pins for ghcr.io/github/gh-aw-mcpg:v0.3.0 and ghcr.io/github/github-mcp-server:v1.0.3 to .github/aw/actions-lock.json
  • Rebuilt binary (JSON data is embedded via //go:embed) and recompiled all 203 workflow lock files
  • All download steps now use image:tag@sha256:... for those two images, matching the pattern already used for AWF containers and node:lts-alpine

Before / After

Before — download step contained:

ghcr.io/github/gh-aw-mcpg:v0.3.0
ghcr.io/github/github-mcp-server:v1.0.3

After — download step now contains:

ghcr.io/github/gh-aw-mcpg:v0.3.0@sha256:9c2228324fb1f26f39dc9471612e530ae3efc3156dac05efb2e8d212878d454d
ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959

@pelikhan pelikhan marked this pull request as ready for review April 28, 2026 01:48
Copilot AI review requested due to automatic review settings April 28, 2026 01:49
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 28, 2026

@copilot merge main and recompile

Copilot AI requested a review from pelikhan April 28, 2026 01:49
Copilot AI reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR improves supply-chain safety and reproducibility for default container downloads by adding immutable digest pins for ghcr.io/github/gh-aw-mcpg:v0.3.0 and ghcr.io/github/github-mcp-server:v1.0.3, then propagating the pinned images across generated lock artifacts.

Changes:

  • Added digest + pinned_image entries for gh-aw-mcpg:v0.3.0 and github-mcp-server:v1.0.3 in the action/container pin JSON sources (including the AW lock JSON).
  • Updated workflow lock manifests and “Download container images” invocations to use image:tag@sha256:....
  • Regenerated affected workflow .lock.yml files so the embedded manifests reflect the new pins.
Show a summary per file
File Description
pkg/workflow/data/action_pins.json Adds digest pin metadata for the two default images used by workflow generation.
pkg/actionpins/data/action_pins.json Adds matching digest pin metadata for the actionpins package’s embedded pin set.
.github/aw/actions-lock.json Adds digest pins for the two default images so AW “download images” resolves to immutable references.
.github/workflows/workflow-health-manager.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/workflow-generator.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/video-analyzer.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/test-workflow.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/test-quality-sentinel.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/test-dispatcher.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/smoke-ci.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/security-compliance.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/schema-consistency-checker.lock.yml Updates embedded manifest + download step to use pinned @sha256 references (for referenced images).
.github/workflows/research.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/refiner.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/plan.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/metrics-collector.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/issue-triage-agent.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/hippo-embed.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/github-remote-mcp-auth-test.lock.yml Updates embedded manifest + download step to use pinned @sha256 references (for referenced images).
.github/workflows/github-mcp-tools-report.lock.yml Updates embedded manifest + download step to use pinned @sha256 references (for referenced images).
.github/workflows/firewall.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/example-permissions-warning.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/draft-pr-cleanup.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/discussion-task-miner.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/dev.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/deployment-incident-monitor.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/delight.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/craft.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/copilot-pr-merged-report.lock.yml Updates embedded manifest + download step to use pinned @sha256 references (for referenced images).
.github/workflows/contribution-check.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/codex-github-remote-mcp-test.lock.yml Updates embedded manifest + download step to use pinned @sha256 references (for referenced images).
.github/workflows/cli-consistency-checker.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/bot-detection.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/artifacts-summary.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/approach-validator.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.
.github/workflows/ace-editor.lock.yml Updates embedded manifest + download step to use pinned @sha256 references.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 139/206 changed files
  • Comments generated: 0

Copilot AI and others added 2 commits April 28, 2026 01:54
@pelikhan
Merge remote-tracking branch 'origin/main' into copilot/review-contai…
84f700f 
…ner-version-downloads

# Conflicts:
#	.github/workflows/schema-consistency-checker.lock.yml

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
chore: merge main and recompile workflows
913af2a 
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/96b8e971-fb85-49b8-8235-3b8f489b4b74

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 28, 2026
edited
Loading

@copilot merge main and recompile

Done — merged main (resolved one lock file conflict by recompiling) and recompiled all 203 workflows. Commit 913af2a.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw cH14Boa8RP93 (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build183004181/b063/embedcfg -pack (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -downloads^{commremote.origin.url (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -downloads^{comm-f (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan merged commit 8881b63 into main Apr 28, 2026
@pelikhan pelikhan deleted the copilot/review-container-version-downloads branch April 28, 2026 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan