Skip to content

fix: Correct actions/setup-node@v6 SHA and make validation fail in strict mode #5565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 3 commits into from
Dec 4, 2025
Merged

fix: Correct actions/setup-node@v6 SHA and make validation fail in strict mode #5565

pelikhan merged 3 commits into from
Dec 4, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 4, 2025
edited
Loading

CI tests were failing due to an incorrect SHA for actions/setup-node@v6 in the action pins configuration and a stale test assertion.

Changes

  • Fixed SHA mismatch: Corrected actions/setup-node@v6 SHA from 2028fbc5c25fe9cf00d9f06a71cc4710d4507903 to 395ad3262231945c25e8478fd5baf05154b1d79f (verified via git ls-remote)
  • Updated test assertion: Changed TestGetActionPinsSorting to expect 23 pins (was 22)
  • Recompiled workflows: Regenerated all 96 .lock.yml files with the correct SHA
  • Enhanced --validate flag: Modified ValidateActionSHAsInLockFile to return an error when outdated SHAs are found, enabling earlier detection of SHA mismatches during compilation
  • Strict mode enforcement: In strict mode (--strict), SHA mismatches now cause compilation to fail (matching behavior of zizmor/poutine/actionlint). Without strict mode, SHA mismatches emit warnings but don't fail compilation for backward compatibility.

The Makefile's recompile target already uses --validate, so this change ensures SHA mismatches are detected during make recompile and make agent-finish.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI assigned Copilot and mrjf Dec 4, 2025
Copilot AI mentioned this pull request Dec 4, 2025
Closed
@mrjf
fix: Correct actions/setup-node@v6 SHA and update test for 23 pins
e9417b6 
Co-authored-by: mrjf <180956+mrjf@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 4, 2025

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login ew_comment.js GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ts_inputs_test.go ts_recursive_test.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env it/ref/tags/v5 GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login 440823b9e372e49f156ed6b224f0e5767f92fd0c8238075fad134cd62b90c334 GO111MODULE .cfg 5767f92fd0c8238075fad134cd62b90c334/log.json GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet env by/c4b4409d6f8d005e9bc1017e75914814b731899f2a20dbc33a15ca6525e3f90f/config.json GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x/var/run/docker/runtime-runc/moby (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Add support for new GitHub Copilot assignment API options fix: Correct actions/setup-node@v6 SHA and update pin count test Dec 4, 2025
Copilot AI requested a review from mrjf December 4, 2025 19:41
@pelikhan pelikhan marked this pull request as ready for review December 4, 2025 19:45
@pelikhan
Copy link
Contributor

pelikhan commented Dec 4, 2025

@mrjf we should prompt the compiler to do these checks as part of the compilation with "--validate" flag

@mrjf
Copy link
Contributor

mrjf commented Dec 4, 2025

@copilot in this PR, please also prompt the compiler to do these checks as part of the compilation with "--validate" flag so that we catch this earlier

@mrjf
feat: Make action SHA validation fail in strict mode with --validate …
d56d53c 
…flag

Co-authored-by: mrjf <180956+mrjf@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 4, 2025
edited
Loading

@copilot in this PR, please also prompt the compiler to do these checks as part of the compilation with "--validate" flag so that we catch this earlier

Implemented in d56d53c. The --validate flag now returns an error when outdated action SHAs are found. In strict mode (--strict), this causes compilation to fail. The Makefile's recompile target already uses --validate, so this will catch SHA mismatches during make recompile and make agent-finish.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login 5 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env EO7kntFbX GO111MODULE ps GOINSECURE GOMOD GOMODCACHE ps (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env it/ref/tags/v5 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login -json stmain.go 1e94d7e555c40772ec546dc55943f5956fd/log.json GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet env -java.git GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title fix: Correct actions/setup-node@v6 SHA and update pin count test fix: Correct actions/setup-node@v6 SHA and make validation fail in strict mode Dec 4, 2025
@pelikhan pelikhan merged commit cca3ec9 into update-assign-to-agent-api Dec 4, 2025
66 of 67 checks passed
@pelikhan pelikhan deleted the copilot/sub-pr-5561 branch December 4, 2025 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

@mrjf mrjf Awaiting requested review from mrjf

Assignees

@mrjf mrjf

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan @mrjf