Problem
The SkipHardcodedFallback field in PinContext prevents the compiler from silently falling back to potentially unverified bundled action pins when the dynamic resolver (which queries github.com) fails.
However, the current detection in pkg/workflow/compiler_types.go's PinContext() method only checks os.Getenv("GH_HOST"):
if ghHost := os.Getenv("GH_HOST"); ghHost != "" && ghHost != "github.com" {
pinCtx.SkipHardcodedFallback = true
}This misses two cases where the tool is effectively targeting a GHE host:
SetDefaultGHHost was called (e.g., by the add command after auto-detecting a GHE git remote), but GH_HOST env var is unset.- The git remote URL points to a GHE host but neither
GH_HOST env var nor SetDefaultGHHost is set (fresh invocation of compile without any host config).
In these cases, SkipHardcodedFallback is not set, so a dynamic-resolution failure silently falls back to hardcoded pins.
Related issue: #39792
Fix
Extend PinContext() in pkg/workflow/compiler_types.go to also check getDefaultGHHost() (the value set via SetDefaultGHHost). If the effective host is non-empty and is not github.com, set SkipHardcodedFallback = true.
Implementation approach
// Existing check
if ghHost := os.Getenv("GH_HOST"); ghHost != "" && ghHost != "github.com" {
pinCtx.SkipHardcodedFallback = true
}
// New: also check the programmatically-configured default host
if defaultHost := getDefaultGHHost(); defaultHost != "" && defaultHost != "github.com" {
pinCtx.SkipHardcodedFallback = true
}Note: after the companion fix (forcing github.com in resolveFromGitHub), dynamic resolution should succeed on GHE hosts. This check is defense-in-depth: if github.com is unreachable, the tool correctly refuses to emit unverified pins rather than silently using bundled fallbacks.
Files to modify
pkg/workflow/compiler_types.go — add getDefaultGHHost() check in PinContext()pkg/workflow/compiler_types_test.go — add test case for the SetDefaultGHHost-set scenario
Acceptance criteria
Generated by 📋 Plan Command · ◷
Comment /plan to run again
Problem
The
SkipHardcodedFallbackfield inPinContextprevents the compiler from silently falling back to potentially unverified bundled action pins when the dynamic resolver (which queriesgithub.com) fails.However, the current detection in
pkg/workflow/compiler_types.go'sPinContext()method only checksos.Getenv("GH_HOST"):This misses two cases where the tool is effectively targeting a GHE host:
SetDefaultGHHostwas called (e.g., by theaddcommand after auto-detecting a GHE git remote), butGH_HOSTenv var is unset.GH_HOSTenv var norSetDefaultGHHostis set (fresh invocation ofcompilewithout any host config).In these cases,
SkipHardcodedFallbackis not set, so a dynamic-resolution failure silently falls back to hardcoded pins.Related issue: #39792
Fix
Extend
PinContext()inpkg/workflow/compiler_types.goto also checkgetDefaultGHHost()(the value set viaSetDefaultGHHost). If the effective host is non-empty and is notgithub.com, setSkipHardcodedFallback = true.Implementation approach
Note: after the companion fix (forcing
github.cominresolveFromGitHub), dynamic resolution should succeed on GHE hosts. This check is defense-in-depth: if github.com is unreachable, the tool correctly refuses to emit unverified pins rather than silently using bundled fallbacks.Files to modify
pkg/workflow/compiler_types.go— addgetDefaultGHHost()check inPinContext()pkg/workflow/compiler_types_test.go— add test case for theSetDefaultGHHost-set scenarioAcceptance criteria
PinContext()setsSkipHardcodedFallback = truewhenSetDefaultGHHostwas called with a non-github.com host, even ifGH_HOSTenv var is unsetPinContext()does not setSkipHardcodedFallbackwhenSetDefaultGHHostwas called withgithub.comGH_HOSTenv var tests still passmake agent-report-progress)