fix: propagate context in action SHA resolution to enable timeout/cancellation

[Copilot]

Several functions making GitHub API calls for action SHA resolution used hardcoded context.Background(), making them impossible to cancel or time out from callers. This caused potential indefinite hangs when GitHub's API is slow or unreachable.

Core changes

pkg/workflow/ — resolver and maintenance paths

• ResolveSetupActionReference, resolveSetupActionRef: accept ctx; pass to resolver.ResolveSHA
• CheckActionSHAUpdates, ValidateActionSHAsInLockFile: accept ctx
• resolveActionRef, FetchDefaultBranch, GenerateMaintenanceWorkflow, buildMaintenanceWorkflowYAML, generateInstallCLISteps: accept ctx; FetchDefaultBranch switches from RunGH → RunGHContext
• generateAllSideRepoMaintenanceWorkflows, generateSideRepoMaintenanceWorkflow: accept ctx

pkg/workflow/compiler_types.go — context storage in Compiler

• Added ctx context.Context field with SetContext(ctx) and context() (falls back to context.Background()) methods so compiler-internal calls (e.g., resolveActionReference) inherit the caller's context without threading it through every method signature

pkg/cli/ — propagation through compile and add pipelines

• CompileWorkflowWithValidation / CompileWorkflowDataWithValidation: accept ctx; call compiler.SetContext(ctx) before compilation
• Full compile pipeline threaded: CompileWorkflows → compileSpecificFiles / compileAllFilesInDirectory → compileWorkflowFile → CompileWorkflowDataWithValidation
• generateMaintenanceWorkflowWrapper, runPostProcessing, runPostProcessingForDirectory: accept ctx
• AddResolvedWorkflows → addWorkflows → addWorkflowsWithTracking → addWorkflowWithTracking: accept ctx
• compileWorkflow, compileWorkflowWithRefresh, compileWorkflowWithTracking, compileDispatchWorkflowDependencies: accept ctx
• InitRepository, ensureMaintenanceWorkflow: accept ctx; init_command.go passes cmd.Context()

Before / After:

// Before
sha, err := resolver.ResolveSHA(context.Background(), actionRepo, tag)

// After — ctx flows from cobra command down through the entire call stack
sha, err := resolver.ResolveSHA(ctx, actionRepo, tag)

Test

Added TestCheckActionSHAUpdates_ContextCancellation — passes a pre-cancelled context and asserts LatestSHA is empty (resolution skipped, no hang).

Callers without an available context (e.g., enable.go watch-mode compilation) explicitly pass context.Background(), which preserves existing behavior while making the intent visible.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -v nfig/composer/ve--show-toplevel bash sRem�� te 'scripts/**/*.js' --ignore-path .prettierignore --log-level=error bash k/gh-aw/gh-aw/node_modules/.bin/node --noprofile (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw util odules/npm/node_--show-toplevel bash --no�� DefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen2149036017/001' DefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen2149036017/001' 64/pkg/tool/linux_amd64/vet --noprofile (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw g/ es/.bin/sh x_amd64/compile m/_n�� ons/secrets grep tartedAt,updatedAt,event,headBranch,headSha,displayTitle on' --ignore-patgit r /usr/sbin/bash git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name h ../../../.pret.prettierignore .cfg de und(), actions, /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/asm committer.email k/_temp/uv-pythoDROP 64/pkg/tool/linux_amd64/vet --no�� g/testutil/tempdir.go .cfg 64/pkg/tool/linux_amd64/vet , \2, false, \3,git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 sh sv sistency_GoAndJagit x_amd64/vet /opt/hostedtoolc--show-toplevel git rev-�� ithub-script/git/ref/tags/v9 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuupstream bject.type] | @tsv ithub-script/gitgh -trimpath bject.type] | @t/repos/actions/github-script/git/ref/tags/v9 git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260504-055240-17905/test-2653922312 rev-parse (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 3354376/b406/_pkg_.a c 3354376/b406=> ./../.prettierig/usr/bin/git b/gh-aw/pkg/consconfig x_amd64/vet sh -c wabs/iktU4GgBgEazkoQkwabs x_amd64/vet /usr/local/sbin/sh rt (\n\t"contextgit k/gh-aw/gh-aw/pkrev-parse x_amd64/vet 3354376/b406/importcfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 /usr/lib/git-cor--jq bject.type] | @tsv -aw/git/ref/tagsgit --auto bject.type] | @t--show-toplevel git rev-�� ithub-script/git/ref/tags/v9 node bject.type] | @tsv /tmp/TestHashCongit 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/gh --show-toplevel git /usr/bin/git gh api /repos/actions/github-script/git/ref/tags/v9 --jq /opt/hostedtoolcache/go/1.25.8/x64/bin/node --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/infocmp--show-toplevel node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/go-build2463354376/b434/_pk-f -trimpath /bin/sh -p github.com/githurepo -lang=go1.25 /bin/sh -c git-receive-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen2149036017git git-receive-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen2149036017rev-parse /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260504-055240-17905/test-2076578996/.github/workflows remote /usr/bin/git te 'scripts/**/*git .cfg 64/pkg/tool/linu--show-toplevel git rev-�� /ref/tags/v9 l sv 01 on ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 64/pkg/tool/linu-goversion sv se 7603419/b037/vetrev-parse .cfg git init�� rgo/bin/bash ache/go/1.25.8/xrev-parse /tmp/go-build2463354376/b469/workflow.test .*\), false, falgit g/cli/file_trackrev-parse ache/go/1.25.8/x--show-toplevel /tmp/go-build2463354376/b469/workflow.test (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv th .prettierigno-errorsas est.go sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv th .prettierigno-errorsas (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv th .prettierigno-errorsas (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv rt/yaml/yaml_def-errorsas g/workflow/compi-ifaceassert x_amd64/compile OUTPUT -d 168.63.129.16 x_amd64/compile --no�� --noprofile 53 x_amd64/vet ACCEPT (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel bash /usr/bin/infocmp 999 bash bject.type] | @t/repos/actions/github-script/git/ref/tags/v9 infocmp -1 xterm-color node (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv add origin /usr/bin/infocmp th .prettierignogit 7603419/b197/vetrev-parse ache/go/1.25.8/x--show-toplevel infocmp -1 xterm-color ache/go/1.25.8/x64/pkg/tool/linu-buildtags me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } tmatter-with-envgit ../../../**/*.jsrev-parse x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel bash /usr/bin/gh runs/20260504-05gh bash e/git gh api /repos/actions/github-script/git/ref/tags/v9 --jq (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 ache/node/24.14.1/x64/bin/node bject.type] | @tsv y x_amd64/link /usr/bin/git git rev-�� /ref/tags/v9 git sv /tmp/gh-aw-test-infocmp rev-parse /opt/hostedtoolcxterm-color git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv runs/20260504-055240-17905/test-602117680 --jq /usr/lib/git-core/git --noprofile git MaintenanceWorkf/repos/actions/github-script/git/ref/tags/v9 /usr/lib/git-cor--jq pack�� /ref/tags/v9 --revs sv --thin --delta-base-offrev-parse -q git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -test.paniconexit0 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -test.paniconexit0 -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git conf�� ithub-script/git/ref/tags/v9 test@example.com bject.type] | @tsv path .prettieriggit g/cli/update_comrev-parse ache/go/1.25.8/x--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuconfig (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ere s/12345/artifacts /opt/hostedtoolcache/node/24.14.1/x64/bin/node on' --ignore-patgit 7603419/b051/vetrev-parse 64/bin/bash /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� steps.test.outputs.result Ww7VJguVlRAx /usr/bin/git ub/workflows format:pkg-json x_amd64/vet git (http block)
• https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git ErrorFormatting4git rev-parse "warnings":[]}] git rev-�� --show-toplevel infocmp /usr/bin/git xterm-color 64/pkg/tool/linuauth (http block)
  • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 3354376/b461/imp/tmp/gh-aw-merge-3451268807/new.md /usr/bin/git /ref/tags/v9 x_amd64/vet sv git rev-�� /ref/tags/v9 /tmp/go-build2463354376/b456/timeutil.test sv runs/20260504-05git -test.v=true /usr/bin/infocmp--show-toplevel git (http block)
• https://api.github.com/repos/azure/login/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/TestGuardPogit rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/gh /tmp/gh-aw-test-infocmp rev-parse ache/node/24.14.xterm-color gh (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 node bject.type] | @tsv /tmp/TestHashCongit 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --show-toplevel x_amd64/vet /opt/hostedtoolcxterm-color infocmp (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv xterm-color 3354376/b413/constants.test /usr/bin/git t0 HEAD 64/pkg/tool/linuxterm-color git rev-�� --show-toplevel 64/pkg/tool/linu^remote\..*\.gh-resolved$ /usr/bin/git eutil.test faultBranchFromL-1 ortcfg.link git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv js/**/*.json' --ignore-path ../../../.prettierignore irements.go /home/REDACTED/.cargo/bin/bash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 /tmp/go-build2463354376/b112/vet.cfg sv se 7603419/b123/vetrev-parse es/.bin/sh git -C /ref/tags/v9 remote sv ../pkg/workflow/git --write ache/uv/0.11.8/x--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 64/pkg/tool/linu-importcfg bject.type] | @tsv se 7603419/b132/vetrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git b/workflows bash x_amd64/compile git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-27 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-04 -ifaceassert (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-03 -ifaceassert -nilfunc /opt/hostedtoolc-goversion -uns�� 2257640250/.gith-c=4 /tmp/go-build326-nolocalimports 64/pkg/tool/linu-importcfg --noprofile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name bash e_modules/.bin/sh --noprofile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 bash At,event,headBranch,headSha,displayTitle json' --ignore-pgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name -tests .cfg --all-progress-igit --revs /home/REDACTED/.douser.name x2/zg1-jwF1IRoPaTest User --no�� 5240-17905/test-1139620536/.github/workflows bash ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet on' --ignore-patgit (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 -tests h (.*\), cache, \(git g/workflow/actiorev-parse node ortcfg --no�� 5240-17905/test-2257640250/.github/workflows g/constants/engine_constants.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile --noprofile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
  • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, te '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore .cfg /sh --local gpg.program /usr/local/sbin//tmp/go-build2463354376/b397/_pkg_.a 64/pkg/tool/linu-trimpath ache�� js/**/*.json' ---p git ache/go/1.25.8/x-lang=go1.25 rkflow/js/**/*.jgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name -tests .cfg --noprofile (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 -tests .yml --noprofile g/workflow/actiorev-parse odules/npm/node_--show-toplevel /opt/hostedtoolcache/go/1.25.8/xremote ortc�� 5240-17905/test-4007755208/.github/workflows stmain.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/link rkflow/js/**/*.jgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name grep $name) { hasDiscussionsEnabled } } AddResolvedWorkfgit g/workflow/compiconfig erignore ortcfg api g/fileutil/spec_test.go --jq ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet th .prettierignogit est.go sh ache/go/1.25.8/x64/pkg/tool/linustatus (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 bash /usr/bin/git Background(), cogit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name bash es/.bin/sh --noprofile /flatted/flattedrev-parse erignore gh api 5240-17905/test-3819976833/.github/workflows --jq ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile th .prettierignogit (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 bash cal/bin/node --noprofile r nfig/composer/ve/repos/actions/github-script/git/ref/tags/v9 git k/gh�� Onlymin-integrity_with_repos_array_c4092712440/001 on 3354376/b427/logger.test /../../.prettiergit erignore bash 3354376/b427/logger.test (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name grep in/sh (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 bash k/gh-aw/gh-aw/node_modules/.bin/node json' --ignore-pgit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name /bin/sh 64/pkg/tool/linux_amd64/vet command -v debiagit (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 grep .cfg context\. /home/REDACTED/worrev-parse ode-gyp-bin/sh git k/gh�� Onlymin-integrity_with_explicit_repo3832705734/001 on rkflow/js/**/*.json /../../.prettier/usr/bin/git erignore n-dir/bash sh (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path h ../../../.pret.prettierignore .cfg x_amd64/asm --local o 1/x64/bin/bash x_amd64/asm --no�� om/aymanbagabas/go-udiff@v0.4.1/diff.go om/aymanbagabas/go-udiff@v0.4.1/export.go 64/pkg/tool/linux_amd64/vet run --auto /opt/hostedtoolc/tmp/gh-aw-test-runs/20260504-055240-17905/test-source-field-variant-664786983/.github/workflows 64/pkg/tool/linurev-parse (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 security sha-resolution ache/go/1.25.8/x-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 chore: initial prev-parse cal/bin/bash grep m/_n�� compileWorkflowWithRefresh /home/REDACTED/work/gh-aw/gh-aw/pkg/cli/update_com-test.run=^Test 1/x64/bin/node rt r tnet/tools/bash git (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build2463354376/b404/cli.test /tmp/go-build2463354376/b404/cli.test -test.testlogfile=/tmp/go-build2463354376/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true .egg --local /home/REDACTED/.lo"prettier" --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.prettierignore 64/pkg/tool/linux_amd64/vet --no�� --noprofile .cfg 64/pkg/tool/linux_amd64/vet --local user.email 64/bin/bash 64/pkg/tool/linu--write (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv ../pkg/workflow/-errorsas (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv js/**/*.json' --ignore-path ../../../.prettierignore --others ash (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv "prettier" --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path .././opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet bash x_amd64/vet --noprofile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv on' --ignore-pat--detach 7603419/b079/vet.cfg .cfg **/*.ts **/*.json --ignore-path ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv on' --ignore-path ../../../.pret.prettierignore 7603419/b099/vet.cfg ode_modules/.bin/node tionSHAsInLockFigit _test.go cal/bin/bash ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -c pkg/mod/github.com/aymanbagabas/go-udiff@v0.4.1/lcs/common.go pkg/mod/github.com/aymanbagabas/go-udiff@v0.4.1/lcs/doc.go x_amd64/link und(), \1, falsegh /home/REDACTED/worapi run-script/lib/n/repos/actions/github-script/git/ref/tags/v9 x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv on' --ignore-pat-p 7603419/b127/vetgithub.com/github/gh-aw/pkg/parser_test g_.a --noprofile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv : .head_branch, 7603419/b126/vet.cfg ode_modules/.bin/sh --noprofile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv on' --ignore-pat--repo bash 64/pkg/tool/linux_amd64/link wsWithTracking\b/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile g/cli/ rgo/bin/bash 64/pkg/tool/linu-trimpath (http block)
• https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git r-test3497137144git r-test3497137144rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git rev-parse /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv tmatter-with-env-template-expressions.md ../../../**/*.json /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --ignore-path ../../../.prettirev-parse rgo/bin/git /opt/hostedtoolcache/go/1.25.8/xgit-receive-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch3634492283/001' -uns�� '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json /tmp/go-build3267603419/b067/vet.cfg k/_temp/uv-python-dir/bash 1 lan for context config /sh /opt/hostedtoolcremote.origin.url (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion flowWithTrackinginfocmp (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -importcfg /tmp/go-build2463354376/b437/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil_test.go --no�� rite '../../../*-errorsas git 64/pkg/tool/linu-nilfunc FETCH_HEAD (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state g_.a --noprofile (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name h ../../../.pret.prettierignore Z6jRXmgJ6 64/pkg/tool/linux_amd64/vet solver)/ResolveSgo .go 86_64/bash 64/pkg/tool/linu-parallel=4 ortc�� rite '../../../*-run=^Test .cfg x_amd64/link origin main tnet/tools/bash x_amd64/link (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch runs/20260504-055240-17905/test-2257640250/.github/workflows x_amd64/vet ptables l git x_amd64/vet /tmp/go-build2463354376/b395/actionpins.test -tes�� -test.paniconexit0 -test.v=true /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu--jq (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

Hey @copilot-swe-agent 👋 — great to see work underway on propagating context.Context through the SHA resolution call chains! This is a solid foundational fix for proper cancellation and deadline support across the action-pins pipeline.

A couple of things to address before this is ready for review:

• No tests changed — the diff only touches two action_pins.json data files, but the PR plan describes threading ctx through many call chains (AddResolvedWorkflows, CheckActionSHAUpdates, resolveActionRef, etc.). Once those code changes land, the corresponding test helpers and unit tests will need to be updated to pass a context.Context as well.
• Missing prose description — the PR body is currently a task checklist (Groups A–D). Adding a short "what and why" paragraph at the top — e.g. what problem is solved by propagating context here and which callers benefit — will help reviewers understand the intent before diving into the diff.

This is still a draft/WIP, so both are expected to arrive in follow-up commits. Here's a prompt you can hand off to your coding agent to take care of the test updates:

Thread context.Context through the action SHA resolution call chains as planned in PR #30070:
1. Update AddResolvedWorkflows → addWorkflows → addWorkflowsWithTracking → addWorkflowWithTracking → fetchAllRemoteDependencies to accept and propagate ctx.
2. Add ctx to CheckActionSHAUpdates, ValidateActionSHAsInLockFile, and the compile pipeline.
3. Add ctx to resolveActionRef, FetchDefaultBranch, GenerateMaintenanceWorkflow, buildMaintenanceWorkflowYAML, generateInstallCLISteps, and side_repo functions.
4. Add ctx to ResolveSetupActionReference/resolveSetupActionRef and store ctx in Compiler struct.
5. Update all affected test files to pass context.Background() (or a test-scoped context) wherever the updated signatures require it.
6. Run `go test ./...` and fix any compilation or test failures.

Generated by Contribution Check · ● 1.6M · ◷

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	1
✅ Design tests (behavioral contracts)	1 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	1 (100%)
Duplicate test clusters	0
Test inflation detected	⚠️ Yes (ratio 10:1 for action_sha_checker_test.go)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestCheckActionSHAUpdates_ContextCancellation	pkg/workflow/action_sha_checker_test.go:159	✅ Design	None — verifies observable behavior under cancellation

All other changes are minor adaptations to existing tests (adding context.Background() to match updated function signatures).

---

Flagged Items

⚠️ Test Inflation — pkg/workflow/action_sha_checker_test.go

Ratio: 40 lines added to test file vs. 4 lines added to production file → 10:1.

This is flagged by the metric, but the context is benign: the production change is a minimal signature update while the test adds a substantive new test function. This is good practice, not actual inflation. No action needed.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 new test function; other modifications are signature adaptations
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). The single new test TestCheckActionSHAUpdates_ContextCancellation is a well-written behavioral contract test that:

• Verifies the system does not hang when context is cancelled (liveness property)
• Verifies LatestSHA is empty when resolution fails due to cancellation (output contract)
• Has a proper //go:build !integration build tag
• Uses no mock libraries
• Includes descriptive error messages on all assertions

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct

Goal: Shift toward tests that describe the system's behavioral contract.

References: §25323021204

🧪 Test quality analysis by Test Quality Sentinel · ● 922.8K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). The new TestCheckActionSHAUpdates_ContextCancellation test is a well-written behavioral contract test verifying context cancellation propagation.

[github-actions]

Commit pushed: b2f00f5

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (315 new lines in pkg/ directories) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/30070-propagate-context-through-sha-resolution-pipeline.md

Decision Captured

The draft ADR documents the key architectural decision: thread context.Context as the first parameter through every I/O-performing function in the action SHA resolution and workflow compilation call stacks, replacing all internal hardcoded context.Background() calls. It also captures the hybrid strategy of storing context on the Compiler struct where threading through every method signature is impractical.

What to do next

1. Review the draft ADR committed to your branch at docs/adr/30070-propagate-context-through-sha-resolution-pipeline.md
2. Complete any missing context — add detail the AI couldn't infer (e.g., the specific incident or user report that motivated this fix, team discussion notes)
3. Refine the alternatives if other approaches were seriously considered
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-30070: Propagate context.Context Through Action SHA Resolution and Compilation Pipeline

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 30070-title.md for PR #30070).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §25323021162

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 136.3K · ◷

[Copilot]

Pull request overview

This PR propagates context.Context through action SHA resolution and related GitHub API/gh CLI call paths so callers can enforce timeouts/cancellation (avoiding potential indefinite hangs).

Changes:

• Threaded ctx through maintenance workflow generation, side-repo maintenance generation, and action SHA checking/validation.
• Added context storage on workflow.Compiler so compiler-internal action reference resolution inherits the caller’s context.
• Updated CLI compile/add/init/update pipelines to pass context end-to-end and added a cancellation-focused unit test.

Show a summary per file

File	Description
pkg/workflow/side_repo_maintenance.go	Add ctx plumbing to side-repo maintenance workflow generation and action ref resolution.
pkg/workflow/maintenance_workflow.go	Add ctx to maintenance generation + default-branch fetch via RunGHContext.
pkg/workflow/maintenance_workflow_yaml.go	Add ctx to YAML builder so action SHA resolution can be cancelled/time-limited.
pkg/workflow/maintenance_workflow_test.go	Update tests for new ctx parameters.
pkg/workflow/data/action_pins.json	Add additional major-version pins used by workflows.
pkg/workflow/compiler_types.go	Store a compilation-scoped context in Compiler with fallback behavior.
pkg/workflow/compiler_custom_actions_test.go	Update tests for new ResolveSetupActionReference(ctx, ...) signature.
pkg/workflow/action_sha_validation_test.go	Update tests for ValidateActionSHAsInLockFile(ctx, ...).
pkg/workflow/action_sha_checker.go	Add ctx to SHA update checking and lockfile validation.
pkg/workflow/action_sha_checker_test.go	Add cancellation test and update signatures.
pkg/workflow/action_sha_checker_integration_test.go	Update integration tests for ctx signature.
pkg/workflow/action_reference.go	Add ctx to setup action reference resolution and propagate compiler context internally.
pkg/workflow/action_reference_test.go	Update tests for new ctx parameter.
pkg/cli/update_workflows.go	Propagate ctx into refresh compilation for updated workflows.
pkg/cli/update_command_test.go	Update tests for compileWorkflowWithRefresh(ctx, ...).
pkg/cli/update_actions.go	Propagate ctx into recompile after action updates.
pkg/cli/interfaces_test.go	Update init tests for InitRepository(ctx, ...).
pkg/cli/init.go	Accept ctx and pass through to maintenance workflow generation.
pkg/cli/init_test.go	Update tests for InitRepository(ctx, ...) and ensureMaintenanceWorkflow(ctx, ...).
pkg/cli/init_mcp_test.go	Update MCP init tests for InitRepository(ctx, ...).
pkg/cli/init_command.go	Pass cmd.Context() into repository init.
pkg/cli/init_command_test.go	Update init command tests for InitRepository(ctx, ...).
pkg/cli/file_tracker_test.go	Update tracking compilation tests for ctx-accepting compile helpers.
pkg/cli/error_formatting_test.go	Update compilation call to pass context.
pkg/cli/enable.go	Make the “compile to create lock file” path explicitly use context.Background().
pkg/cli/compile_workflow_processor.go	Thread ctx into per-file compilation to reach validation + SHA resolution.
pkg/cli/compile_validation.go	Add ctx to compile+validate entrypoints and set compiler context before compilation.
pkg/cli/compile_update_discussion_test.go	Update compilation call to pass context.
pkg/cli/compile_security_benchmark_test.go	Update benchmark compilation calls to pass context.
pkg/cli/compile_post_processing.go	Propagate ctx into maintenance workflow post-processing wrapper.
pkg/cli/compile_pipeline.go	Thread ctx through compile pipeline and post-processing functions.
pkg/cli/compile_orchestrator.go	Pass orchestrator ctx into file/directory compilation functions.
pkg/cli/compile_guard_policy_test.go	Update compilation calls to pass context.
pkg/cli/compile_file_operations.go	Update helper compilation calls to pass an explicit background context.
pkg/cli/add_workflow_pr.go	Thread ctx through PR-based add workflow path.
pkg/cli/add_workflow_compilation.go	Thread ctx through add-time compilation helpers and dispatch dependency compilation.
pkg/cli/add_interactive_git.go	Pass interactive command ctx through workflow addition pipeline.
pkg/cli/add_gitattributes_test.go	Update tests for new addWorkflows(ctx, ...) signature.
pkg/cli/add_command.go	Thread ctx through resolved workflow add pipeline (including PR path).
pkg/cli/add_command_test.go	Update tests for new ctx-first add APIs.
pkg/actionpins/data/action_pins.json	Keep action pins data in sync with workflow copy.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 42/42 changed files
• Comments generated: 4

[pelikhan]

@copilot review all comments

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

Addressed all reviewer comments in c95cee6:

1. Missing context in integration tests — side_repo_maintenance_integration_test.go now passes context.Background() to all GenerateMaintenanceWorkflow calls (was missed because the //go:build integration tag hid it from the normal build).

2. Missing context in compile_command_test.go — CompileWorkflowWithValidation and CompileWorkflowDataWithValidation calls that were missed in the initial pass now pass context.Background().

3. Potential panic from action.SHA[:7] / latestSHA[:7] — Added length guards before both slice operations in action_sha_checker.go so short or empty SHAs (e.g., from a cancelled context or a corrupt cache entry) don't cause a panic.

[Copilot]

@copilot review all comments

All reviewer comments were addressed in c95cee6 — see my reply above for the full breakdown.