Skip to content

fix: trust gh-aw infrastructure actions in safe update enforcement#25891

Merged
pelikhan merged 4 commits intomainfrom
fix/trust-gh-aw-actions-in-safe-update
Apr 12, 2026
Merged

fix: trust gh-aw infrastructure actions in safe update enforcement#25891
pelikhan merged 4 commits intomainfrom
fix/trust-gh-aw-actions-in-safe-update

Conversation

@dsyme
Copy link
Copy Markdown
Collaborator

@dsyme dsyme commented Apr 12, 2026

Problem

gh aw upgrade can update the setup action repo path from github/gh-aw/actions/setup to github/gh-aw-actions/setup. Safe update enforcement then flags the new path as an "unapproved action" because only the actions/ GitHub org was in the trusted set.

This produces a spurious warning:

safe update mode detected unapproved changes

New unapproved action(s):
  - github/gh-aw-actions/setup

Fix

Add github/gh-aw/actions/ and github/gh-aw-actions/ as trusted action prefixes in isTrustedActionRepo(), alongside the existing actions/ org trust. These are gh-aw's own infrastructure actions that get upgraded automatically by gh aw upgrade, so they should never be flagged as unapproved third-party additions.

Changes

  • pkg/workflow/safe_update_enforcement.go: Replace narrow isActionsOrgRepo() with isTrustedActionRepo() that also trusts gh-aw infrastructure action prefixes
  • pkg/workflow/safe_update_enforcement_test.go: Add tests for gh-aw action trust, including the exact upgrade scenario (old path in manifest, new path in compilation)

@dsyme
fix: trust gh-aw infrastructure actions in safe update enforcement
4104d70 
Safe update enforcement only trusted actions under the actions/ GitHub
org. When `gh aw upgrade` changed the setup action from
github/gh-aw/actions/setup to github/gh-aw-actions/setup, the new repo
path was flagged as 'unapproved' because it wasn't in the manifest and
wasn't in the trusted set.

Add github/gh-aw/actions/ and github/gh-aw-actions/ as trusted action
prefixes alongside actions/, since these are gh-aw's own infrastructure
actions that get upgraded automatically by `gh aw upgrade`.
Copilot AI review requested due to automatic review settings April 12, 2026 04:42
Copilot AI reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates safe-update enforcement to avoid falsely flagging gh-aw’s own infrastructure actions as “unapproved” when gh aw upgrade rewrites action paths.

Changes:

  • Replace isActionsOrgRepo() with isTrustedActionRepo() to allow both actions/ org actions and gh-aw infrastructure action prefixes.
  • Add regression tests covering the gh aw upgrade path rewrite scenario and first-compile behavior.
Show a summary per file
File Description
pkg/workflow/safe_update_enforcement.go Expands the trusted action allowlist logic to include gh-aw infrastructure action prefixes.
pkg/workflow/safe_update_enforcement_test.go Adds test cases ensuring gh-aw infrastructure actions are exempted from “unapproved action” violations.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0

@github-actions github-actions bot mentioned this pull request Apr 12, 2026
Open
@pelikhan pelikhan merged commit 3ba3773 into main Apr 12, 2026
57 of 58 checks passed
@pelikhan pelikhan deleted the fix/trust-gh-aw-actions-in-safe-update branch April 12, 2026 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dsyme @pelikhan