[plan] Add defensive bounds checks in action pin resolution fallback logic

[github-actions]

Objective

Add explicit bounds validation in the action pin resolution fallback logic to prevent potential runtime panics when accessing array elements after filter operations.

Context

Source: Sergo Analysis Report #14696 - Critical Issue #1
Location: pkg/workflow/action_pins.go:245
Severity: Critical

The fallback logic in GetActionPin() accesses matchingPins[0] in an else branch without redundant validation. While the outer if len(matchingPins) > 0 check on line 232 guarantees safety, this represents a defensive programming gap that could become critical if the logic is refactored.

Current Code (Lines 238-246)

if len(compatiblePins) > 0 {
    selectedPin = compatiblePins[0]  // ✅ SAFE
    actionPinsLog.Printf("...")
} else {
    selectedPin = matchingPins[0]  // ❌ Assumes matchingPins non-empty
    actionPinsLog.Printf("...")
}

Proposed Fix

if len(compatiblePins) > 0 {
    selectedPin = compatiblePins[0]
    actionPinsLog.Printf("...")
} else if len(matchingPins) > 0 {
    selectedPin = matchingPins[0]
    actionPinsLog.Printf("...")
} else {
    // Defensive: should never happen due to outer check
    actionPinsLog.Printf("ERROR: No pins available after filtering for %s@%s", actionRepo, version)
    return "", fmt.Errorf("no action pins available for %s@%s", actionRepo, version)
}

Acceptance Criteria

• Add explicit len(matchingPins) > 0 check in else branch
• Add defensive error branch with logging
• Run existing tests to ensure no behavior changes
• No new test failures introduced
  Related to [sergo] Initialization Safety & Type Guards Analysis - 2026-02-09 #14696

AI generated by Plan Command for #14696

• expires on Feb 12, 2026, 1:07 AM UTC

[github-actions]

This issue was automatically closed because it expired on 2026-02-12T01:07:42.865Z.

Closed by Workflow