Skip to content

FAP-WEB-WORKFLOW-ACTION-REF-INTEGRITY-01: verify pinned workflow action refs#1722

Merged
fermatmind merged 1 commit into
mainfrom
codex/fap-web-workflow-action-ref-integrity-01
Jul 12, 2026
Merged

FAP-WEB-WORKFLOW-ACTION-REF-INTEGRITY-01: verify pinned workflow action refs#1722
fermatmind merged 1 commit into
mainfrom
codex/fap-web-workflow-action-ref-integrity-01

Conversation

@fermatmind

Copy link
Copy Markdown
Owner

What changed

  • Replaced the invalid actions/upload-artifact pinned SHA in llms-feed-cache-ops and personality-agent-auto-runner with the current resolvable v4 tag SHA.
  • Standardized public-performance-audit workflow actions onto the blessed action lock.
  • Added scripts/verify-github-action-refs.mjs to enforce blessed workflow actions and resolve pinned refs with git ls-remote.
  • Added a focused workflow action integrity contract test so workflow checks cannot pass by string matching alone.
  • Fixed existing actionlint findings in codex-autofix and personality-agent-auto-runner without changing their operational intent.

Why

The llms feed cache-only ops run failed before execution because GitHub could not resolve the pinned actions/upload-artifact SHA. This PR makes the workflow refs auditable and blocks invalid pins before future ops workflows reach production environment gates.

Validation

  • node scripts/verify-github-action-refs.mjs --resolve
  • actionlint .github/workflows/*.yml
  • ruby -e 'require "yaml"; Dir[".github/workflows/*.{yml,yaml}"].sort.each { |f| YAML.load_file(f); puts "parsed #{f}" }'
  • PATH=/Users/rainie/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH /usr/local/bin/pnpm exec vitest run tests/contracts/workflow-action-ref-integrity.contract.test.ts tests/contracts/llms-feed-cache-ops-workflow.contract.test.ts tests/contracts/audit-prr2-web-04-actions-sha-pinning.contract.test.ts
  • PATH=/Users/rainie/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH /usr/local/bin/pnpm typecheck
  • PATH=/Users/rainie/.cache/codex-runtimes/codex-primary-runtime/dependencies/node/bin:$PATH /usr/local/bin/pnpm test:contract
  • git diff --check

Deferred items

  • No deployment.
  • No CMS writes or eligibility changes.
  • No Search Queue or IndexNow.
  • No llms feed cache ops rerun in this PR; rerun after merge.

Repository rule impact

Workflow-only repair. No content authority, public API, sitemap, llms enumeration, CMS ownership, or frontend fallback boundary changes.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 248eaceddd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

checked.add(key);

const repoUrl = `https://github.com/${blessed.repo}.git`;
const ref = blessed.tag ? `refs/tags/${blessed.tag}` : blessed.sha;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Resolve pinned SHAs instead of moving major tags

Because the CI contracts job runs pnpm test:contract, this --resolve path becomes a required check for every PR, but it validates mutable major tags (refs/tags/v4, v6, etc.) against the blessed SHA. When an upstream action advances a major tag to a new patch release, this will fail CI even though every workflow is still pinned to a valid immutable commit; the guard for the previous invalid-pin outage should instead verify the pinned SHA is reachable or lock exact release refs.

Useful? React with 👍 / 👎.

@fermatmind fermatmind merged commit 355355a into main Jul 12, 2026
7 checks passed
@fermatmind fermatmind deleted the codex/fap-web-workflow-action-ref-integrity-01 branch July 12, 2026 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant