-
Notifications
You must be signed in to change notification settings - Fork 444
Warn on outdated action versions in user-provided steps #43455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Copilot
wants to merge
10
commits into
main
Choose a base branch
from
copilot/scan-user-provided-steps
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+385
−1
Open
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
e5660e8
Add outdated action version warning in compiler step processing
Copilot a5d03c9
Make outdated-action warning message more actionable
Copilot 99deb49
docs: add draft ADR-43455 for compile-time outdated action version wa…
github-actions[bot] 7a3d71b
Merge branch 'main' into copilot/scan-user-provided-steps
pelikhan bc05783
fix outdated action warning review feedback
Copilot 2a6367c
Merge branch 'main' into copilot/scan-user-provided-steps
pelikhan a8e881b
Fix pr-sous-chef contract expectation
Copilot 57895b8
test: harden outdated warning dedup assertion
Copilot 2b8e737
test: narrow outdated warning dedup match
Copilot 8a2e0bd
Merge remote-tracking branch 'origin/main' into copilot/scan-user-pro…
Copilot File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| # ADR-43455: Warn on Outdated Action Versions in User-Provided Steps | ||
|
|
||
| **Date**: 2026-07-05 | ||
| **Status**: Draft | ||
| **Deciders**: Unknown | ||
|
|
||
| --- | ||
|
|
||
| ### Context | ||
|
|
||
| AI agents that generate workflow files frequently emit `uses:` step references with stale | ||
| major versions (e.g. `actions/checkout@v3`) even when a newer version is recorded in the | ||
| embedded `action_pins.json`. Before this change, those outdated tags were silently accepted | ||
| and pinned to the corresponding (old) SHA, giving users no signal that their workflow file | ||
| should be updated. The compiler already maintains an embedded list of latest action pins, | ||
| making it the natural place to surface this discrepancy at compile time rather than leaving | ||
| it to downstream runtime surprises. | ||
|
|
||
| ### Decision | ||
|
|
||
| We will add a compile-time warning (`warnIfOutdatedActionVersion`) hooked into the single | ||
| action-pinning entry point (`applyActionPinToTypedStep`) that emits a stderr diagnostic | ||
| whenever a user-supplied version tag is strictly older than the latest version in the | ||
| embedded pin database. Partial major-only tags (e.g. `@v4`) are treated as floating | ||
| within-major references and only warned on when a higher major is available. SHA refs and | ||
| non-semver refs are silently skipped to avoid false positives. Warnings are deduplicated | ||
| per `repo@version` pair within a single compilation run via `WorkflowData.ActionPinWarnings`. | ||
|
|
||
| ### Alternatives Considered | ||
|
|
||
| #### Alternative 1: Hard-fail compilation on outdated version tags | ||
|
|
||
| Reject the workflow at compile time with an error instead of a warning, forcing users to | ||
| update the version tag before proceeding. This would provide stronger enforcement but is | ||
| too disruptive: partial major tags like `@v4` are still valid floating references within | ||
| that major series, and treating them as errors would break legitimate workflows. A warning | ||
| preserves forward motion while still surfacing the issue. | ||
|
|
||
| #### Alternative 2: Silently upgrade the version tag to the latest | ||
|
|
||
| Automatically rewrite the `uses:` field to the latest version from `action_pins.json` | ||
| without user intervention. This avoids the warning noise but silently mutates | ||
| user-provided workflow content, violating the principle that the compiler should not | ||
| change user intent without explicit confirmation. It would also interact poorly with | ||
| SHA-pinning strategies where the caller expects a specific version to be pinned. | ||
|
|
||
| ### Consequences | ||
|
|
||
| #### Positive | ||
| - Users and AI agents receive an actionable compile-time warning when a stale action | ||
| version is specified, enabling them to update the workflow source rather than silently | ||
| accumulating technical debt. | ||
| - Deduplication via `ActionPinWarnings` ensures repeated steps (pre-steps, steps, | ||
| post-steps) produce exactly one diagnostic per `repo@version` pair per compilation run. | ||
| - SHA refs and branch refs are silently skipped, eliminating false positives for already- | ||
| pinned workflows. | ||
| - Partial major tags (`@vN`) are correctly treated as floating references, avoiding | ||
| spurious warnings for valid usage. | ||
|
|
||
| #### Negative | ||
| - The warning is written to stderr only; it is not surfaced in structured output or | ||
| returned as a typed diagnostic, so programmatic consumers cannot easily filter or act | ||
| on it. | ||
| - Warning accuracy depends on `action_pins.json` being kept up-to-date; a stale pin | ||
| database means outdated versions may not be flagged. | ||
| - Teams that intentionally pin to an older major version for compatibility will see | ||
| warnings they cannot currently suppress on a per-action basis. | ||
|
|
||
| #### Neutral | ||
| - The new `ActionPinWarnings` map is added to `WorkflowData`, slightly increasing the | ||
| struct's memory footprint per compilation run. | ||
| - The feature is integrated at the single pinning entry point (`applyActionPinToTypedStep`), | ||
| so all callers — user-provided steps, pre-steps, pre-agent-steps, and post-steps — get | ||
| the check automatically without further changes. | ||
|
|
||
| --- | ||
|
|
||
| *ADR created by [adr-writer agent]. Review and finalize before changing status from Draft to Accepted.* |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[/grill-with-docs] The warning message emitted to stderr is formatted as a single long sentence with no newline separation from the "Consider upgrading" suggestion. The PR's example output in the description shows a two-line format — the implementation collapses it into one line, which differs from what's advertised.
💡 Match the PR's documented output format
The PR description shows:
Splitting the message at the period keeps the warning scannable:
@copilot please address this.