Fix check-gh-aw-lockfiles to use PR files API instead of git diff

trask · trask · commit 4df74330161f · 2026-05-09T12:55:51.000-07:00
A 3-dot `git diff base.sha...HEAD` over-includes upstream changes that
entered the PR branch via merges from main, which falsely triggers the
gh-aw compile and fails the lockfile check on PRs that did not modify
any gh-aw inputs.

Use the GitHub PR files API instead, which returns the canonical list
of files actually changed by the PR.
diff --git a/.github/workflows/build-common.yml b/.github/workflows/build-common.yml
@@ -177,7 +177,6 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
           persist-credentials: false
 
       - name: Install gh-aw
@@ -191,61 +190,29 @@ jobs:
         run: |
           set -euo pipefail
 
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            mapfile -t changed_files < <(
-              git diff --name-only "${{ github.event.pull_request.base.sha }}"...HEAD -- \
-                ".github/workflows/*.md" \
-                ".github/workflows/*.lock.yml" \
-                ".github/agents/**" \
-                ".github/aw/**"
-            )
-          else
-            mapfile -t changed_files < <(find .github/workflows -maxdepth 1 -name "*.md" | sort)
-          fi
-
-          declare -A workflow_ids=()
-          compile_all=false
-
-          for changed_file in "${changed_files[@]}"; do
-            case "$changed_file" in
-              .github/workflows/*.md)
-                workflow_file="${changed_file##*/}"
-                workflow_ids["${workflow_file%.md}"]=1
-                ;;
-              .github/workflows/*.lock.yml)
-                workflow_file="${changed_file##*/}"
-                workflow_ids["${workflow_file%.lock.yml}"]=1
-                ;;
-              .github/agents/*|.github/aw/*)
-                compile_all=true
-                ;;
-            esac
-          done
-
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            compile_all=true
-          fi
-
-          if [[ "$compile_all" == "true" ]]; then
-            while IFS= read -r lock_file; do
-              workflow_file="${lock_file##*/}"
-              workflow_ids["${workflow_file%.lock.yml}"]=1
-            done < <(find .github/workflows -maxdepth 1 -name "*.lock.yml" | sort)
-          fi
+          # Always compile all gh-aw workflows. The compiler is pinned via
+          # `gh extension install --pin` and `--no-check-update`, and action
+          # SHAs are pinned via .github/aw/actions-lock.json, so the output
+          # is deterministic for a given pinned version. Compiling all
+          # workflows takes only a couple of seconds.
+          mapfile -t workflow_ids < <(
+            find .github/workflows -maxdepth 1 -name "*.md" \
+              -exec basename {} .md \; \
+              | sort
+          )
 
           if [[ ${#workflow_ids[@]} -eq 0 ]]; then
-            echo "No gh-aw workflow sources or lockfiles changed."
+            echo "No gh-aw workflow sources found."
             echo "workflows=" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          printf '%s\n' "${!workflow_ids[@]}" | sort > /tmp/gh-aw-workflows.txt
           echo "Workflows to compile:"
-          cat /tmp/gh-aw-workflows.txt
+          printf '%s\n' "${workflow_ids[@]}"
 
           {
             echo "workflows<<EOF"
-            tr '\n' ' ' < /tmp/gh-aw-workflows.txt
+            printf '%s ' "${workflow_ids[@]}"
             echo
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
