FAP-WEB-WORKFLOW-ACTION-REF-INTEGRITY-01: verify pinned workflow action refs#1722
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 248eaceddd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| checked.add(key); | ||
|
|
||
| const repoUrl = `https://github.com/${blessed.repo}.git`; | ||
| const ref = blessed.tag ? `refs/tags/${blessed.tag}` : blessed.sha; |
There was a problem hiding this comment.
Resolve pinned SHAs instead of moving major tags
Because the CI contracts job runs pnpm test:contract, this --resolve path becomes a required check for every PR, but it validates mutable major tags (refs/tags/v4, v6, etc.) against the blessed SHA. When an upstream action advances a major tag to a new patch release, this will fail CI even though every workflow is still pinned to a valid immutable commit; the guard for the previous invalid-pin outage should instead verify the pinned SHA is reachable or lock exact release refs.
Useful? React with 👍 / 👎.
What changed
actions/upload-artifactpinned SHA inllms-feed-cache-opsandpersonality-agent-auto-runnerwith the current resolvable v4 tag SHA.public-performance-auditworkflow actions onto the blessed action lock.scripts/verify-github-action-refs.mjsto enforce blessed workflow actions and resolve pinned refs withgit ls-remote.codex-autofixandpersonality-agent-auto-runnerwithout changing their operational intent.Why
The llms feed cache-only ops run failed before execution because GitHub could not resolve the pinned
actions/upload-artifactSHA. This PR makes the workflow refs auditable and blocks invalid pins before future ops workflows reach production environment gates.Validation
node scripts/verify-github-action-refs.mjs --resolveactionlint .github/workflows/*.ymlruby -e 'require "yaml"; Dir[".github/workflows/*.{yml,yaml}"].sort.each { |f| YAML.load_file(f); puts "parsed #{f}" }'PATH=/Users/rainie/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH /usr/local/bin/pnpm exec vitest run tests/contracts/workflow-action-ref-integrity.contract.test.ts tests/contracts/llms-feed-cache-ops-workflow.contract.test.ts tests/contracts/audit-prr2-web-04-actions-sha-pinning.contract.test.tsPATH=/Users/rainie/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH /usr/local/bin/pnpm typecheckPATH=/Users/rainie/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH /usr/local/bin/pnpm test:contractgit diff --checkDeferred items
Repository rule impact
Workflow-only repair. No content authority, public API, sitemap, llms enumeration, CMS ownership, or frontend fallback boundary changes.