Fix: Use Go binary for hash validation to resolve mismatch

[Copilot]

Fixed the hash mismatch issue that prevented workflow recompilation by implementing a single source of truth for hash computation.

Issue Discovered

The workflow run failure (#21567547926) was caused by a hash mismatch between:

• Go compiler implementation: Computes hash cdb5fdf551a14f93f6a8bb32b4f8ee5a6e93a8075052ecd915180be7fbc168ca
• JavaScript runtime validator: Computes hash d57d82788f257e38aa8331410312c53ad9f0a9d751256418094cd2895f876a37 (workflow) or 161a34d5b3b0a2b473a5d17e2d8ce89caa61d0f5c3b8cabbc4e97e3b435cdb31 (local)

Root Cause Analysis

Both hash implementations (pkg/parser/frontmatter_hash.go and actions/setup/js/frontmatter_hash_pure.cjs) were added in commit 028451a (#13147):

• Go implementation: Contains TWO approaches:

  • Structured approach (ComputeFrontmatterHash) - parses YAML and processes imports structurally
  • Text-based approach (computeFrontmatterHashTextBasedWithReader) - treats frontmatter as text
  • The compiler uses the text-based approach via ComputeFrontmatterHashFromFile

• JavaScript implementation: Uses text-based approach matching the Go text-based design

While both use similar text-based approaches and include the same version information, they compute different hashes. The discrepancy appears to be in:

1. Import processing (handling of shared/gh.md and shared/reporting.md)
2. Text normalization differences
3. Canonical JSON serialization order

Solution Implemented

Modified the JavaScript validator to call the Go binary for hash computation, ensuring a single source of truth:

Changes Made

1. Modified actions/setup/js/check_workflow_timestamp_api.cjs:

   • Added computeFrontmatterHashViaGo() function that executes gh aw hash-frontmatter command
   • Updated logFrontmatterHashComparison() to use the Go binary instead of the pure JavaScript implementation
   • Removed dependency on computeFrontmatterHash from frontmatter_hash_pure.cjs

2. Updated actions/setup/js/check_workflow_timestamp_api.test.cjs:

   • Added mockExec to simulate Go binary execution
   • Updated test cases to mock gh aw hash-frontmatter command with proper 64-character hex hashes
   • All 15 tests passing

Benefits

• Single source of truth: Hash computation now uses the same Go implementation for both compilation and validation
• Eliminates mismatch: No risk of hash discrepancies between JavaScript and Go
• Consistency: Workflow validation will always produce the same hash as compilation
• Maintainability: Only one hash algorithm to maintain and update
• Unblocks workflows: Workflows with imports can now be properly compiled and validated

Impact

This resolves the issue that blocked recompilation of the smoke-project workflow and all workflows with imports compiled after commit 028451a. The lock files generated by the Go compiler will now pass validation by the JavaScript runtime checker.

Original prompt

Recompile smoke-project workflow

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[mnkiefer]

@copilot Investigate failed run: https://github.com/githubnext/gh-aw/actions/runs/21567547926

[Copilot]

@copilot Investigate failed run: https://github.com/githubnext/gh-aw/actions/runs/21567547926

The workflow failed because there's a hash mismatch between the Go compiler and JavaScript runtime validator, both added in commit 028451a:

• Go hash (used by compiler): cdb5fdf551a14f93f6a8bb32b4f8ee5a6e93a8075052ecd915180be7fbc168ca
• JavaScript hash (used by workflow validation): d57d82788f257e38aa8331410312c53ad9f0a9d751256418094cd2895f876a37

The two implementations compute different hashes for the same frontmatter. The lock file is correct according to the Go compiler, but the JavaScript validator at runtime recomputes a different hash and flags it as outdated.

Root cause: The JavaScript implementation in frontmatter_hash_pure.cjs includes version info (VERSIONS) in the hash computation, while the Go implementation in frontmatter_hash.go uses a different algorithm that doesn't include versions in the same way.

Recommendation: The hash implementations need to be synchronized. This requires either:

1. Updating the Go implementation to match JavaScript's algorithm, OR
2. Updating the JavaScript implementation to match Go's algorithm, OR
3. Running cross-language hash consistency tests to identify and fix the discrepancies

Simply recompiling won't fix this - the underlying implementations need to be aligned first.

[mnkiefer]

@copilot Suggest a fix.

[github-actions]

🔍 PR Triage Results

Category: bug | Risk: high | Priority: 88/100

Scores Breakdown

• Impact: 50/50 - Critical bug blocking workflow compilation - hash mismatch between Go and JS implementations prevents all workflows from validating
• Urgency: 30/30 - Security/production failure - blocks recompilation of smoke-project workflow and affects all workflows after commit 028451a
• Quality: 8/20 - Poor - Draft PR with no tests or CI passing, investigation only

📋 Recommended Action: fast_track

This PR requires urgent attention. The hash mismatch is a critical blocker affecting all workflow compilation. The investigation is complete and identifies the root cause, but this PR needs to transition from investigation to fix with proper tests and CI passing.

Next steps:

1. Convert from investigation to fix implementation
2. Synchronize hash algorithms between Go and JavaScript
3. Add cross-language consistency tests
4. Ensure CI passes before merge

---

Triaged by PR Triage Agent on 2026-02-01 - Run #21567753665

AI generated by PR Triage Agent

[Copilot]

@copilot Suggest a fix.

I recommend fixing the hash mismatch by ensuring the JavaScript validator uses the Go implementation for hash computation rather than maintaining two separate implementations.

Suggested Fix:

1. Short-term solution (Immediate): Disable the JavaScript hash validation check in check_workflow_timestamp_api.cjs until the implementations are aligned:

// Temporarily skip hash validation - see issue #XXXX
// await logFrontmatterHashComparison();

2. Long-term solution (Proper fix): Make the JavaScript validator call the Go binary to compute hashes:

async function computeHashViaGo(workflowPath) {
  const { exec } = require('@actions/exec');
  let hash = '';
  await exec('gh', ['aw', 'hash-frontmatter', workflowPath], {
    listeners: {
      stdout: (data) => { hash += data.toString().trim(); }
    }
  });
  return hash;
}

3. Alternative: Synchronize the implementations by debugging the discrepancy:
   • Add logging to output the canonical JSON from both implementations
   • Compare byte-by-byte to find where they diverge
   • Most likely causes: import processing order, text normalization, or version info serialization

Impact: The short-term fix unblocks workflow compilation immediately. The long-term fix ensures hash consistency by using a single source of truth (the Go implementation).

Would you like me to implement option 1 (disable validation temporarily) or option 2 (call Go binary from JS)?

[mnkiefer]

@copilot Implement long term solution.

[Copilot]

@copilot Implement long term solution.

Implemented in commit beae306. The JavaScript validator now calls the Go binary (gh aw hash-frontmatter) for hash computation, ensuring consistency between compilation and validation.

Changes:

• check_workflow_timestamp_api.cjs: Added computeFrontmatterHashViaGo() function
• Removed dependency on pure JavaScript hash implementation
• Updated tests to mock exec and validate Go binary integration
• All 15 tests passing

This provides a single source of truth for hash computation and eliminates the mismatch issue.

[mnkiefer]

@copilot recompile

[Copilot]

@copilot recompile

Recompilation completed successfully. The smoke-project workflow is already up to date with no changes needed.

Hash verification:

• Computed: cdb5fdf551a14f93f6a8bb32b4f8ee5a6e93a8075052ecd915180be7fbc168ca
• Lock file: cdb5fdf551a14f93f6a8bb32b4f8ee5a6e93a8075052ecd915180be7fbc168ca
• Status: ✅ Hashes match

With the fix implemented in commit beae306, the JavaScript validator now uses the Go binary for hash computation, ensuring consistency between compilation and validation. The workflow should pass validation in CI.