Auto-regenerate gh-aw lock files in renovate PRs

.github/renovate.json5

@@ -433,5 +433,25 @@
         'npx (?<depName>[^@]+)@(?<currentValue>[^\\s]+)',
       ],
     },
+    {
+      // GitHub Actions referenced from gh-aw workflow source files
+      // (.github/workflows/*.md). Renovate's built-in github-actions
+      // manager only scans .yml/.yaml; the SHAs Renovate rewrites in
+      // the generated *.lock.yml files get overwritten on the next
+      // `gh aw compile` run unless the source .md is updated too.
+      //
+      // The depName captures the first two path segments (owner/repo)
+      // and intentionally discards any trailing subpath
+      // (e.g. `gradle/actions/setup-gradle` -> `gradle/actions`),
+      // because the github-tags datasource takes owner/repo only.
+      customType: 'regex',
+      datasourceTemplate: 'github-tags',
+      managerFilePatterns: [
+        '.github/workflows/*.md',
+      ],
+      matchStrings: [
+        'uses:\\s+(?<depName>[\\w.-]+/[\\w.-]+)(?:/[\\w./-]+)?@(?<currentDigest>[a-f0-9]{40})\\s+#\\s+(?<currentValue>v[\\d.]+)',
+      ],
+    },
   ],
 }

.github/workflows/auto-license-report.yml → .github/workflows/auto-post-renovate.yml

@@ -1,4 +1,20 @@
-name: Auto license report
+name: Auto post-renovate
+# Regenerates files that Renovate cannot regenerate on its own. Renovate
+# updates version strings (e.g. action SHA pins, dependency versions),
+# but a few artifacts in this repo are produced by tools that have to be
+# re-run to stay consistent:
+#
+#   * `licenses/` is generated by `./gradlew generateLicenseReport`.
+#   * `.github/workflows/*.lock.yml` and `.github/aw/actions-lock.json`
+#     are generated by `gh aw compile`. Renovate edits the action SHAs
+#     *inside* the lock files via the github-actions manager, but cannot
+#     re-run the compiler, refresh `actions-lock.json`, or bump the
+#     `gh extension install github/gh-aw --pin vX.Y.Z` argument in
+#     `build-common.yml`. Those edits live in this workflow.
+#
+# This workflow runs on every push to a `renovate/**` branch, recomputes
+# the auto-generated files, and pushes any resulting diff back to the
+# Renovate branch so CI (`check-gh-aw-lockfiles`, etc.) goes green.
 on:
   push:
     branches:
@@ -34,6 +50,46 @@ jobs:
       - name: Update license report
         run: ./gradlew generateLicenseReport --no-build-cache
 
+      # Detect the latest gh-aw-actions version Renovate has installed in the
+      # generated lock files. The CLI extension (`github/gh-aw`) and the
+      # actions (`github/gh-aw-actions/*`) ship from the same repo at the
+      # same version, so we pin the CLI to whatever Renovate picked.
+      - id: gh-aw-version
+        name: Detect target gh-aw version
+        run: |
+          version=$(grep -hoP 'github/gh-aw-actions/[^@]+@[a-f0-9]+ # \Kv[0-9.]+' \
+                      .github/workflows/*.lock.yml \
+                    | sort -V \
+                    | tail -1)
+          if [ -z "$version" ]; then
+            echo "could not detect gh-aw-actions version in lock files" >&2
+            exit 1
+          fi
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Bump gh-aw CLI pin in build-common.yml
+        env:
+          VERSION: ${{ steps.gh-aw-version.outputs.version }}
+        run: |
+          sed -i -E \
+            "s|(gh extension install github/gh-aw --pin )v[0-9.]+|\1$VERSION|" \
+            .github/workflows/build-common.yml
+
+      - name: Install gh-aw
+        env:
+          GH_TOKEN: ${{ github.token }}
+          VERSION: ${{ steps.gh-aw-version.outputs.version }}
+        run: gh extension install github/gh-aw --pin "$VERSION"
+
+      # No `--no-check-update` here (unlike the check job in
+      # build-common.yml). We *want* this run to refresh
+      # `.github/aw/actions-lock.json` with whatever SHAs the new pinned
+      # compiler resolves, then regenerate the lock files from that.
+      - name: Recompile gh-aw workflows
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh aw compile
+
       - id: create-patch
         name: Create patch file
         run: |
@@ -88,6 +144,6 @@ jobs:
         if: steps.check-patch.outputs.exists == 'true'
         run: |
           git apply "${{ runner.temp }}/patch"
-          git add licenses
-          git commit -m "Update license report"
+          git add -A licenses .github/workflows .github/aw
+          git commit -m "Regenerate auto-managed files"
           git push

.github/workflows/pr-review.md

@@ -93,7 +93,7 @@ jobs:
       model_warning: ${{ steps.gate.outputs.model_warning }}
       triggered_by: ${{ steps.gate.outputs.triggered_by }}
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
           persist-credentials: false
@@ -130,20 +130,20 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
           persist-credentials: false
 
       - name: Download agent artifact
-        uses: actions/download-artifact@v8.0.1
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: agent
           path: ./agent-artifact
         continue-on-error: true
 
       - name: Download review bundle artifact
-        uses: actions/download-artifact@v8.0.1
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: review-bundle
           path: ./review-bundle
@@ -197,7 +197,7 @@ steps:
         --findings-path /tmp/gh-aw/agent/findings.json
 
   - name: Upload review bundle for finalize job
-    uses: actions/upload-artifact@v5
+    uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
     with:
       name: review-bundle
       path: /tmp/gh-aw/bundle