fix: propagate ActionCache to detection job container downloads by Copilot · Pull Request #25883 · github/gh-aw

Copilot · 2026-04-12T02:00:05Z

Detection job container pulls used mutable tags while the agent job correctly used SHA-pinned references, defeating supply-chain pinning for threat detection.

Root cause: buildPullAWFContainersStep constructed a minimal WorkflowData for collectDockerImages but omitted ActionCache, so applyContainerPins found no cached digests and returned bare tags.

// Before — no ActionCache, pins never applied
detectionData := &WorkflowData{
    Tools:         map[string]any{},
    AI:            engineSetting,
    SandboxConfig: &SandboxConfig{...},
}

// After
detectionData := &WorkflowData{
    Tools:         map[string]any{},
    AI:            engineSetting,
    SandboxConfig: &SandboxConfig{...},
    ActionCache:   data.ActionCache,
}

Before (detection job):

gh-aw-firewall/agent:0.25.18 gh-aw-firewall/api-proxy:0.25.18 gh-aw-firewall/squid:0.25.18

After (detection job):

gh-aw-firewall/agent:0.25.18@sha256:c77e8c26... gh-aw-firewall/api-proxy:0.25.18@sha256:d16a40a3... gh-aw-firewall/squid:0.25.18@sha256:eb102afc...

One-line fix in pkg/workflow/threat_detection.go
All 187 lock files recompiled with pinned detection container refs

The buildPullAWFContainersStep created a minimal WorkflowData without the ActionCache from the parent data, causing collectDockerImages to skip container digest pinning for detection job downloads. This resulted in the detection job pulling containers by mutable tag (e.g., ghcr.io/github/gh-aw-firewall/agent:0.25.18) while the agent job correctly used pinned SHA references (e.g., ...agent:0.25.18@sha256:c77e8c26...). Fix: copy ActionCache from the parent WorkflowData so applyContainerPins can resolve cached digest pins for the detection job's images. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/98fc03ca-fa39-475c-87e8-2f693b382a82 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot

Pull request overview

Fixes threat-detection container pre-pulls to use SHA256-pinned image references by propagating ActionCache into the detection-job image collection context, restoring supply-chain pinning guarantees.

Changes:

Propagate WorkflowData.ActionCache into the minimal detection WorkflowData used by collectDockerImages.
Regenerate workflow lock files so detection job container download steps include digest-pinned (@sha256:…) image references.

Show a summary per file

File	Description
pkg/workflow/threat_detection.go	Propagates `ActionCache` so detection-job AWF container pulls use digest pins.
.github/workflows/workflow-skill-extractor.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/workflow-normalizer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/workflow-health-manager.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/workflow-generator.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/weekly-issue-summary.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/weekly-editors-health-check.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/weekly-blog-post-writer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/video-analyzer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/update-astro.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/unbloat-docs.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/ubuntu-image-analyzer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/typist.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/tidy.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/test-quality-sentinel.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/test-project-url-default.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/test-dispatcher.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/test-create-pr-error-handling.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/terminal-stylist.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/technical-doc-writer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/super-linter.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/sub-issue-closer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/step-name-alignment.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/static-analysis-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/stale-repo-identifier.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-workflow-call.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-workflow-call-with-inputs.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-update-cross-repo-pr.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-test-tools.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-temporary-id.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-service-ports.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-project.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-multi-pr.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-gemini.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-create-cross-repo-pr.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-copilot.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-copilot-arm.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-codex.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-claude.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-call-workflow.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-agent-scoped-approved.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-agent-public-none.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-agent-public-approved.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-agent-all-none.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/smoke-agent-all-merged.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/slide-deck-maintainer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/sergo.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/semantic-function-refactor.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/security-review.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/security-compliance.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/scout.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/schema-feature-coverage.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/schema-consistency-checker.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/safe-output-health.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/research.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/repository-quality-improver.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/repo-tree-map.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/repo-audit-analyzer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/release.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/refiner.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/refactoring-cadence.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/q.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/python-data-charts.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/prompt-clustering-analysis.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/pr-triage-agent.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/pr-nitpick-reviewer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/portfolio-analyst.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/poem-bot.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/plan.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/pdf-summary.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/org-health-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/notion-issue-summary.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/mergefest.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/mcp-inspector.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/lockfile-stats.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/layout-spec-maintainer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/jsweep.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/issue-triage-agent.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/issue-monster.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/issue-arborist.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/instructions-janitor.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/hourly-ci-cleaner.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/grumpy-reviewer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/gpclean.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/go-pattern-detector.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/go-logger.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/go-fan.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/glossary-maintainer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/github-mcp-tools-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/github-mcp-structural-analysis.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/functional-pragmatist.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/firewall-escape.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/example-workflow-analyzer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/duplicate-code-detector.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/draft-pr-cleanup.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/docs-noob-tester.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/discussion-task-miner.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/dictation-prompt.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/developer-docs-consolidator.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/dev.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/dev-hawk.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/design-decision-gate.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/dependabot-go-checker.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/dependabot-burner.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/delight.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/deep-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/dead-code-remover.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-workflow-updater.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-testify-uber-super-expert.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-team-status.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-team-evolution-insights.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-syntax-error-quality.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-semgrep-scan.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-security-red-team.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-secrets-analysis.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-safe-outputs-conformance.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-safe-output-optimizer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-safe-output-integrator.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-repo-chronicle.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-rendering-scripts-verifier.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-regulatory.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-performance-summary.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-otel-instrumentation-advisor.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-observability-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-news.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-multi-device-docs-tester.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-issues-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-integrity-analysis.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-function-namer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-firewall-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-file-diet.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-fact.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-doc-updater.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-doc-healer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-compiler-quality.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-community-attribution.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-code-metrics.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-cli-tools-tester.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-cli-performance.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-choice-test.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-assign-issue-to-user.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/daily-architecture-diagram.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/craft.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/copilot-token-optimizer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/copilot-token-audit.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/copilot-session-insights.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/copilot-pr-merged-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/copilot-cli-deep-research.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/copilot-agent-analysis.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/contribution-check.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/constraint-solving-potd.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/commit-changes-analyzer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/code-simplifier.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/code-scanning-fixer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/cloclo.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/cli-version-checker.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/cli-consistency-checker.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/claude-code-user-docs-review.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/ci-doctor.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/ci-coach.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/breaking-change-checker.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/brave.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/blog-auditor.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/auto-triage-issues.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/audit-workflows.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/artifacts-summary.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/architecture-guardian.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/archie.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/approach-validator.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/api-consumption-report.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/agentic-observability-kit.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/agent-persona-explorer.lock.yml	Updates detection container download step to use digest-pinned AWF images.
.github/workflows/agent-performance-analyzer.lock.yml	Updates detection container download step to use digest-pinned AWF images.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 178/178 changed files
Comments generated: 1

pkg/workflow/threat_detection.go

 	detectionData := &WorkflowData{
 		Tools: map[string]any{},
 		AI:    engineSetting,
 		SandboxConfig: &SandboxConfig{
 			Agent: &AgentSandboxConfig{
 				Type: SandboxTypeAWF,
 			},
 		},
+		ActionCache: data.ActionCache, // Propagate cache so container digest pins are applied
 	}


Copilot AI assigned Copilot and pelikhan Apr 12, 2026

Copilot created this pull request from a session on behalf of pelikhan April 12, 2026 02:00 View session

pelikhan marked this pull request as ready for review April 12, 2026 02:00

Copilot AI review requested due to automatic review settings April 12, 2026 02:00

pelikhan merged commit d8ca47b into main Apr 12, 2026
52 of 54 checks passed

pelikhan deleted the copilot/review-downloads-configuration branch April 12, 2026 02:00

Copilot started reviewing on behalf of pelikhan April 12, 2026 02:01 View session

Copilot AI reviewed Apr 12, 2026

View reviewed changes

github-actions bot mentioned this pull request Apr 12, 2026

[aw] No-Op Runs #25214

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: propagate ActionCache to detection job container downloads#25883

fix: propagate ActionCache to detection job container downloads#25883
pelikhan merged 1 commit intomainfrom
copilot/review-downloads-configuration

Copilot AI commented Apr 12, 2026

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Apr 12, 2026

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants