Skip to content

Fix release resolution algorithm and recompile workflows with correct action versions#11929

Merged
pelikhan merged 5 commits intomainfrom
copilot/recompile-workflows-lock-files-one-more-time
Jan 26, 2026
Merged

Fix release resolution algorithm and recompile workflows with correct action versions#11929
pelikhan merged 5 commits intomainfrom
copilot/recompile-workflows-lock-files-one-more-time

Conversation

Copy link
Contributor

Copilot AI commented Jan 26, 2026
edited
Loading

Workflow lock files (.lock.yml) were out of sync with their markdown sources (.md), and the release resolution algorithm was incorrectly selecting versions based on GitHub API order rather than semantic versioning.

Changes

Release Resolution Fix:

  • Modified getLatestActionRelease() and getLatestActionReleaseViaGit() to sort releases by semantic version
  • Algorithm now selects the highest semver version among compatible releases
  • Previously relied on GitHub API order (most recently published first)
  • Ensures proper semantic versioning rules are followed (e.g., v6.0.2 > v5.0.1)

Action Updates:

  • Updated GitHub Actions to latest versions using the fixed resolution algorithm
  • actions/checkout: v5.0.1 → v6.0.2 (correctly identified as highest version)
  • actions/github-script: v7.0.1/v8.0.0 → v8
  • Various other actions updated to latest compatible versions

Workflow Recompilation:

  • Recompiled all 140 workflows using gh aw compile --validate --verbose
  • Synchronized action_pins.json with updated action versions
  • All workflows now reflect their latest markdown configurations with 0 compilation errors

The fix prevents future action updates from causing unintended downgrades by ensuring the highest semantic version is always selected.

Original prompt

This section details on the original issue you should resolve

<issue_title>[agentics] agentic workflows out of sync</issue_title>
<issue_description>## Problem

The workflow lock files (.lock.yml) are out of sync with their source markdown files (.md). This means the workflows that run in GitHub Actions are not using the latest configuration.

What needs to be done

The workflows need to be recompiled to regenerate the lock files from the markdown sources.

Instructions

Recompile all workflows using one of the following methods:

Using gh aw CLI

gh aw compile --validate --verbose

Using gh-aw MCP Server

If you have the gh-aw MCP server configured, use the compile tool:

{
  "tool": "compile",
  "arguments": {
    "validate": true,
    "verbose": true
  }
}

This will:

  1. Build the latest version of gh-aw
  2. Compile all workflow markdown files to YAML lock files
  3. Ensure all workflows are up to date

After recompiling, commit the changes with a message like:

Recompile workflows to update lock files

Detected Changes

The following workflow lock files have changes:

View diff 
diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml
index c3f993e..a8c35f9 100644
--- a/.github/workflows/agent-performance-analyzer.lock.yml
+++ b/.github/workflows/agent-performance-analyzer.lock.yml
@@ -51,7 +51,7 @@ jobs:
       comment_repo: ""
     steps:
       - name: Checkout actions folder
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           sparse-checkout: |
             actions
@@ -99,7 +99,7 @@ jobs:
       secret_verification_result: ${{ steps.validate-secret.outputs.verification_result }}
     steps:
       - name: Checkout actions folder
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           sparse-checkout: |
             actions
@@ -109,7 +109,7 @@ jobs:
         with:
           destination: /opt/gh-aw/actions
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           persist-credentials: false
       - name: Create gh-aw temp directory
@@ -1607,7 +1607,7 @@ jobs:
       total_count: ${{ steps.missing_tool.outputs.total_count }}
     steps:
       - name: Checkout actions folder
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           sparse-checkout: |
             actions
@@ -1629,7 +1629,7 @@ jobs:
           echo "Agent Conclusion: $AGENT_CONCLUSION"
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-output
           path: /tmp/gh-aw/safeoutputs/
@@ -1712,7 +1712,7 @@ jobs:
       success: ${{ steps.parse_results.outputs.success }}
     steps:
       - name: Checkout actions folder
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           sparse-checkout: |
             actions
@@ -1723,13 +1723,13 @@ jobs:
           destination: /opt/gh-aw/actions
       - name: Download agent artifacts
         continue-on-error: true
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-artifacts
           path: /tmp/gh-aw/threat-detection/
       - name: Download agent output artifact
         continue-on-error: true
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: agent-output
           path: /tmp/gh-aw/threat-detection/
@@ -1857,7 +1857,7 @@ jobs:
       activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
     steps:
       - name: Checkout actions folder
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           sparse-checkout: |
             actions
@@ -1889,7 +1889,7 @@ jobs:
       contents: write
     steps:
       - name: Check...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes githubnext/gh-aw#11922

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.

@pelikhan
Initial plan: Recompile workflows to sync lock files
e589158 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Copy link
Contributor

pelikhan commented Jan 26, 2026

@copilot fix the release resolution algorithm to keep the "highest" semver version, rather than just the latest release.

Copilot AI changed the title [WIP] Recompile workflows to sync lock files with markdown Recompile workflows to sync lock files with markdown sources Jan 26, 2026
Copilot AI requested a review from pelikhan January 26, 2026 19:43
Copilot AI and others added 2 commits January 26, 2026 20:00
@pelikhan
Fix release resolution to use highest semver version
72426f2 
Modified getLatestActionRelease() and getLatestActionReleaseViaGit() to:
1. Parse and collect all valid semantic version releases
2. Sort releases by semver in descending order (highest first)
3. Select the highest compatible version instead of relying on GitHub API order

This ensures we always get the highest semantic version, not just the
most recently published release.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Update actions and recompile workflows with v6.0.2
38e81c3 
- Updated GitHub Actions to latest versions using fixed semver resolution
- actions/checkout: v5.0.1 → v6.0.2 (correctly selects highest semver)
- actions/download-artifact: stays at v6.0.0
- actions/github-script: v7.0.1/v8.0.0 → v8
- Recompiled all 140 workflows to use updated action pins

The release resolution fix ensures actions are upgraded to the highest
semantic version, not just the most recently published release.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 26, 2026

@copilot fix the release resolution algorithm to keep the "highest" semver version, rather than just the latest release.

Fixed in 38e81c3. The release resolution algorithm now sorts all releases by semantic version before selecting the highest compatible version, ensuring we always get v6.0.2 (highest) instead of v5.0.1 (most recent).

Copilot AI changed the title Recompile workflows to sync lock files with markdown sources Fix release resolution algorithm and recompile workflows with correct action versions Jan 26, 2026
@pelikhan pelikhan marked this pull request as ready for review January 26, 2026 20:05
@pelikhan pelikhan merged commit a6d0285 into main Jan 26, 2026
49 checks passed
@pelikhan pelikhan deleted the copilot/recompile-workflows-lock-files-one-more-time branch January 26, 2026 20:05
This was referenced Jan 26, 2026
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan