Resolve --gh-aw-ref branch/tag to commit SHA at compile time#38689
Resolve --gh-aw-ref branch/tag to commit SHA at compile time#38689dsyme wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request makes gh aw compile --gh-aw-ref <BRANCH|TAG> resolve the provided ref to an immutable 40-character commit SHA at compile time, preventing compiled .lock.yml files from silently drifting as branches move or tags are recreated.
Changes:
- Added
workflow.ResolveGhAwRef(ctx, ref)to resolve branch/tag refs to full commit SHAs (skipping resolution when already given a full SHA). - Updated the
compilecommand’s--gh-aw-refhandling to resolve early and fail fast on resolution errors. - Updated
DEVGUIDE.mdand CLI flag help text to document SHA-resolution behavior.
Show a summary per file
| File | Description |
|---|---|
pkg/workflow/action_resolver.go |
Adds ResolveGhAwRef to resolve github/gh-aw refs to full SHAs via gh api. |
cmd/gh-aw/main.go |
Uses ResolveGhAwRef when --gh-aw-ref is provided; updates help text accordingly. |
DEVGUIDE.md |
Documents that branch/tag refs are resolved to SHAs at compile time for immutability. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 3
| resolverLog.Printf("Resolving --gh-aw-ref %q to commit SHA via GitHub API", ref) | ||
| apiPath := fmt.Sprintf("/repos/github/gh-aw/commits/%s", ref) | ||
| callCtx, cancel := context.WithTimeout(ctx, 30*time.Second) |
| cmd := ExecGHContext(callCtx, "api", apiPath, "--jq", ".sha") | ||
| output, err := cmd.Output() | ||
| if err != nil { | ||
| return "", fmt.Errorf("failed to resolve gh-aw ref %q to SHA: %w", ref, err) | ||
| } |
| func ResolveGhAwRef(ctx context.Context, ref string) (string, error) { | ||
| if gitutil.IsValidFullSHA(ref) { | ||
| resolverLog.Printf("--gh-aw-ref %q is already a full SHA, no resolution needed", ref) | ||
| return ref, nil | ||
| } |
|
✅ smoke-ci: safeoutputs CLI comment + comment-memory run (27368233860)
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment.
|
|
@copilot review all comments and address unresolved review feedback. Please refresh the branch and rerun checks once that is done.
|
|
@copilot review all comments and address unresolved review feedback.
|
|
Please rerun checks after the branch refresh and summarize any remaining blockers.
|
|
``
|
|
``
|
Summary
When
gh aw compile --gh-aw-ref BRANCH|TAGis used, the compiler previously baked the mutable branch or tag name directly into the compiled.lock.ymlfiles. This means the ref could silently drift if the branch moves or the tag is recreated.This change resolves the supplied ref to its commit SHA at compile time, so the baked-in ref is immutable.
Changes
pkg/workflow/action_resolver.go— newResolveGhAwRef(ctx, ref)function:refis already a 40-char hex SHA, returns it unchanged (no network call)gh api /repos/github/gh-aw/commits/{ref} --jq .sha, which accepts branches and tag namescmd/gh-aw/main.go—--gh-aw-refhandler callsResolveGhAwRefbefore buildingCompileConfig, failing fast with a descriptive error if the ref can't be resolved. Updated flag description to document SHA resolution behaviour.DEVGUIDE.md— updated the--gh-aw-refsection to document that branch/tag names are resolved to SHAs at compile time.Before / After
Branch refresh requested by pr-sous-chef for run https://github.com/github/gh-aw/actions/runs/27381978065