Use GitHub API for lock file timestamp checks instead of repository checkout

[Copilot]

The activation job previously checked out the repository to compare file modification times between workflow source (.md) and compiled lock file (.lock.yml). This required a checkout step with sparse-checkout configuration.

Changes

New JavaScript implementation

• Created check_workflow_timestamp_api.cjs using github.rest.repos.listCommits to fetch last commit for each file
• Compares commit dates instead of filesystem timestamps
• Outputs commit SHAs with clickable links in step summary

Compiler updates

• Removed checkout step from activation job generation in buildActivationJob()
• Updated to use API-based script instead of filesystem-based script
• contents: read permission now used for API access (previously for checkout)

Test updates

• Updated activation_checkout_test.go to verify checkout absence and API usage
• Updated task_and_reaction_permissions_test.go to validate GitHub API calls

Example output

Before:

steps:
  - name: Checkout workflows
    uses: actions/checkout@v5
    with:
      sparse-checkout: |
        .github/workflows
  - name: Check workflow file timestamps
    # ... filesystem stat checks

After:

steps:
  - name: Check workflow file timestamps
    uses: actions/github-script@v8
    with:
      script: |
        const response = await github.rest.repos.listCommits({
          owner, repo, path, per_page: 1, sha: ref
        });
        // ... compare commit dates

All 80 workflows updated to use GitHub API approach.

Original prompt

Update the activation job to check the lock file up to date using JavaScript actions/github-script.

• remove checkout step
• add JavaScript call that uses GitHub APIs, both files should be set in the same commit
• update permissions if needed
• show output on core.info and step summary

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

Agentic Changeset Generator triggered by this pull request.

[Copilot]

Pull Request Overview

This PR modernizes the workflow timestamp checking mechanism by replacing filesystem-based checks (which required a repository checkout) with GitHub API calls. The activation job now uses github.rest.repos.listCommits to fetch the last commit timestamps for both the source .md file and compiled .lock.yml file, comparing commit dates instead of filesystem modification times.

Key Changes:

• Created API-based timestamp checking script (check_workflow_timestamp_api.cjs)
• Removed checkout step from activation job generation
• Updated tests to verify absence of checkout and presence of API calls
• Regenerated all 80+ workflow lock files with the new approach

Reviewed Changes

Copilot reviewed 87 out of 87 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/js/check_workflow_timestamp_api.cjs	New JavaScript implementation using GitHub API for timestamp checks with commit SHA links
pkg/workflow/js.go	Updated embedded script reference from checkWorkflowTimestampScript to checkWorkflowTimestampAPIScript
pkg/workflow/compiler_jobs.go	Removed checkout step generation and updated comments to reflect API-based approach
pkg/workflow/activation_checkout_test.go	Renamed test and updated assertions to verify no checkout and API usage
pkg/workflow/task_and_reaction_permissions_test.go	Updated test assertions to validate GitHub API calls instead of checkout
.github/workflows/*.lock.yml	All 80 workflow lock files regenerated with new API-based timestamp check
docs/src/content/docs/status.mdx	Updated workflow status table (unrelated workflow name changes)
docs/src/content/docs/reference/frontmatter-full.md	Documentation updates (unrelated timeout default and field descriptions)
.changeset/patch-api-timestamp-checks.md	Changeset file documenting the patch

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.