Add --force-refresh-action-pins flag to compile command with automatic SHA validation

[Copilot]

Adds a --force-refresh-action-pins flag to clear the action cache and reset the embedded action pins list, forcing dynamic resolution of all action SHAs from GitHub API. The flag automatically enables SHA validation to verify all resolved SHAs point to valid commits.

Changes:

• CLI flag: Added --force-refresh-action-pins to compile command
• Cache clearing: Modified getSharedActionResolver() to skip loading .github/aw/actions-lock.json when flag is set
• Embedded pins reset: Added resetActionPinsFile() to clear pkg/workflow/data/action_pins.json to empty structure
• Config wiring: Added ForceRefreshActionPins field to CompileConfig and Compiler structs
• Automatic SHA validation: Modified compileSpecificFiles() and compileAllFilesInDirectory() to automatically enable action SHA validation when the flag is used, ensuring all resolved SHAs are validated by resolving them against the GitHub API

Usage:

# Clear cache and resolve all action SHAs fresh from GitHub API
gh aw compile --force-refresh-action-pins

# Result: pkg/workflow/data/action_pins.json becomes {"entries": {}}
# All action references resolve dynamically, new cache saved to .github/aw/actions-lock.json
# SHA validation runs automatically, reporting warnings for any outdated or invalid SHAs

Testing:

• Verifies cache is not loaded when flag is enabled
• Verifies action_pins.json is reset to empty structure
• Verifies graceful handling when file doesn't exist
• Verifies SHA validation is automatically enabled when flag is used

Original prompt

Add 'compile' cli flag to --force-refresh-action-pins and reset the action-pins list.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot validate all sha used in the workflows by resolving the commit

[Copilot]

@copilot validate all sha used in the workflows by resolving the commit

Done! When --force-refresh-action-pins is used, action SHA validation is now automatically enabled. This means all resolved SHAs are validated by resolving them against the GitHub API to ensure they point to valid commits.

The validation logic:

• Extracts all action SHAs from the compiled lock files
• Resolves each SHA's version tag via GitHub API
• Compares current SHA with latest available SHA
• Reports warnings for any outdated or invalid SHAs

Commit: ffd20e2