Skip warnings for actions already pinned to full SHAs

[Copilot]

Actions pinned to full 40-character SHAs were triggering unnecessary dynamic resolution warnings like:

⚠ Unable to resolve actions/checkout@93cb6efe18208431cddfb9bfd dynamically, using hardcoded pin for actions/checkout@v5.0.1

Changes

Modified GetActionPinWithData() to detect and handle SHA-based versions:

• Skip dynamic resolution for SHAs (GitHub API can't resolve commit SHAs to tags)
• Check hardcoded pins for SHA matches to preserve version tag annotation
• Suppress warnings throughout all code paths when version is a SHA

Added test coverage:

• TestGetActionPinWithData_AlreadySHA verifies no warnings for SHA-pinned actions
• Validates both known SHAs (annotated with version tags) and unknown SHAs (returned as-is)

Behavior

# Before: Warning issued
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd

# After: No warning, SHA annotated if known in pins
# → actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1

Preserves existing SHA-to-version annotation when SHA matches a hardcoded pin.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE 0.1-go1.25.0.linGOMODCACHE GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 0.1-go1.25.0.linux-amd64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

No need to issue warnings for custom actions pinned to a long sha. See this error when compiling:

⚠ Unable to resolve actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd dynamically, using hardcoded pin for actions/checkout@v5.0.1
⚠ Unable to resolve actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f dynamically, using hardcoded pin for actions/setup-node@v6.1.0
✓ .github/workflows/playground-snapshots-refresh.md (54.3 KB)

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

Changeset

• Type: patch
• Description: Skip dynamic resolution warnings for actions pinned to full SHAs; preserve known SHA->version annotations when available.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

@copilot same error here:

⚠ Unable to pin action githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c: resolution failed
⚠ Unable to pin action githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c: resolution failed
⚠ Unable to pin action githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c: resolution failed
⚠ Unable to pin action githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c: resolution failed
⚠ Unable to pin action githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c: resolution failed
⚠ Unable to pin action githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c: resolution failed
✓ .github/workflows/daily-fact.md (49.0 KB)

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤

[Copilot]

@copilot same error here:

⚠ Unable to pin action githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c: resolution failed

...

The fix is already in place in commit f085d95. I tested compiling .github/workflows/daily-fact.md with the current code and confirmed no warnings are issued for the custom action SHA githubnext/gh-aw/actions/setup@623e612ff6a684e9a8634449508bdda21e2c178c.

Please rebuild the binary with make build to pick up the changes. The fix handles all SHA-based versions including custom actions with the action-tag feature.

[github-actions]

Smoke Test Results: Copilot Safe Inputs

✅ File Writing: Successfully created /tmp/gh-aw/agent/smoke-test-copilot-20686026485.txt
✅ Bash Tool: File verification successful
❌ safeinputs-gh Tool: Tool not available in current context

Overall Status: FAIL

The safeinputs-gh tool is not accessible in this workflow execution.

AI generated by Smoke Copilot Safe Inputs

[github-actions]

Copilot Smoke Test Results

Last 2 Merged PRs:

• Add default value to engine field in included_file_schema.json #8814: Add default value to engine field in included_file_schema.json
• Add $comment validation documentation to stdio_mcp_tool in included schema #8813: Add $comment validation documentation to stdio_mcp_tool in included schema

Test Results:

• ✅ GitHub MCP Testing (fetched PRs successfully)
• ✅ File Writing Testing (created agent test file)
• ✅ Bash Tool Testing (verified file creation)
• ✅ GitHub MCP Default Toolset (confirmed get_me not in default toolsets - error as expected)
• ✅ Cache Memory Testing (created and verified cache file)
• ✅ Available Tools: add_comment, add_labels, create_issue, missing_tool, noop

Overall Status: PASS ✅

@pelikhan

AI generated by Smoke Copilot

[github-actions]

Smoke: Codex firewall
PRs: Add default value to engine field in included_file_schema.json; Add $comment validation documentation to stdio_mcp_tool in included schema
OpenAI curl blocked: ✅
example.com blocked: ✅
GitHub MCP merged PRs fetched: ✅
File write/read in /tmp/gh-aw/agent: ✅
Network: SANDBOXED | Overall: PASS

AI generated by Smoke Codex Firewall

[github-actions]

Smoke Test Results - Copilot Engine (No Firewall)

✅ All tests passed successfully

1. ✅ Retrieved last 2 merged PRs (Add default value to engine field in included_file_schema.json #8814, Add $comment validation documentation to stdio_mcp_tool in included schema #8813)
2. ✅ Created test file /tmp/gh-aw/agent/smoke-test-copilot-20686026487.txt
3. ✅ Navigated to https://github.com - Page title verified: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
4. ✅ Listed 3 issues using safeinputs-gh (Copilot Smoke Test Results - Run 20685598288 #8811, [plan] Document tools scope restrictions in reference docs #8809, [plan] Document safe-outputs scope restrictions in reference docs #8808)

AI generated by Smoke Copilot No Firewall

[github-actions]

Smoke Test Results

❌ Playwright MCP Test: FAIL - Playwright module not available
✅ Cache Memory Test: PASS - File written and verified
❌ Safe Input gh Tool Test: FAIL - Tool factory method not found

Overall Status: FAIL

Tests completed for workflow run 20686026503.

AI generated by Smoke Copilot Playwright

[github-actions]

Smoke Test Results - Claude Engine

Last 2 Merged PRs:

• Add default value to engine field in included_file_schema.json #8814: Add default value to engine field in included_file_schema.json
• Add $comment validation documentation to stdio_mcp_tool in included schema #8813: Add $comment validation documentation to stdio_mcp_tool in included schema

Test Results:

• ✅ GitHub MCP (fetched PRs)
• ✅ File Writing (/tmp/gh-aw/agent/)
• ✅ Bash Tool (verified files)
• ✅ Playwright (navigated to GitHub, title verified)
• ✅ Cache Memory (/tmp/gh-aw/cache-memory/)
• ❌ Safe Input gh Tool (not available in environment)

Status: PASS (5/6 tests passed)

AI generated by Smoke Claude

[github-actions]

Recent merged PRs: #8814 Add default value to engine field in included_file_schema.json; #8813 Add $comment validation documentation to stdio_mcp_tool in included schema
GitHub MCP test ✅
Agent file write + cat ✅
Playwright title check ✅
Cache memory file ✅
safeinputs-gh issues list ❌ (command not found in environment)
Overall: FAIL

AI generated by Smoke Codex