Skip to content

ci(gh-aw): bump apm-action v1.5.0 -> v1.6.0 for plugin-bundle defenses#1121

Merged
danielmeppiel merged 1 commit intomainfrom
fix/gh-aw-bump-apm-action-v1.6
May 3, 2026
Merged

ci(gh-aw): bump apm-action v1.5.0 -> v1.6.0 for plugin-bundle defenses#1121
danielmeppiel merged 1 commit intomainfrom
fix/gh-aw-bump-apm-action-v1.6

Conversation

@danielmeppiel
Copy link
Copy Markdown
Collaborator

@danielmeppiel danielmeppiel commented May 3, 2026

TL;DR

Bumps the gh-aw shared workflow pin microsoft/apm-action@v1.5.0 -> @v1.6.0 and recompiles the affected lock workflows so the new SHA (275e67418e97c26025852c7e91730cf4c11baf30) is baked in. Unblocks the Triage / PR Review panel agentic workflows, which broke after apm 0.12.0 silently flipped apm pack's default --format from apm to plugin.

Problem (WHY)

Failing run: https://github.com/microsoft/apm/actions/runs/25280156338 (Triage Panel, agent job).

apm unpack rejects the bundle with:

Bundle verification failed -- the following deployed files are missing from the bundle: .agents/skills/..., .github/agents/*.agent.md, .github/instructions/*.md (32 paths).

Two changes collided:

  1. apm 0.12.0 silently changed the default --format of apm pack from apm to plugin (src/apm_cli/commands/pack.py:60-61). Plugin-format bundles store files at plugin-native paths (agents/, skills/, commands/) but the embedded enriched apm.lock.yaml lists deployed_files at deploy-time, target-prefixed paths (.github/agents/..., .agents/skills/...). apm unpack's strict completeness verification (src/apm_cli/bundle/unpacker.py:140-146, unchanged from v0.11) then rejects every plugin bundle.
  2. gh-aw lock workflows pin actions by commit SHA for supply-chain hygiene. The compiled *.lock.yml files pinned microsoft/apm-action@454b8a1d... # v1.5.0, whose bundler.ts calls apm pack with no explicit --format and so inherits the new (broken-for-this-flow) CLI default. The floating v1 tag already points at v1.6.0, but the SHA pin freezes the resolution -- only a recompile picks up the new SHA.

Approach (WHAT)

microsoft/apm-action@v1.6.0 adds the defenses:

  • New bundle-format input, default apm.
  • Passes --format apm explicitly to apm pack.
  • Detects plugin-layout tarballs at restore and refuses them with a friendly error.

Bump the shared workflow pin to v1.6.0 and recompile the lock files so the new SHA is recorded.

Implementation (HOW)

  • .github/workflows/shared/apm.md: 5 textual occurrences of microsoft/apm-action@v1.5.0 -> @v1.6.0 (header pin comment, Pack step, Restore step, two doc references).
  • gh aw compile regenerated:
    • .github/workflows/triage-panel.lock.yml
    • .github/workflows/pr-review-panel.lock.yml
    • .github/aw/actions-lock.json (added the v1.6.0 entry; v1.5.0 entry retained as gh-aw's append-only registry).
  • Other compiled workflows (cli-consistency-checker, daily-doc-updater, daily-test-improver) do not import the shared apm workflow and were unchanged in substance.

Resolved SHA verification:

$ gh api /repos/microsoft/apm-action/git/refs/tags/v1.6.0 --jq '.object.sha'
6aa8752094069ed25accd5ee81c0f1423f72c403
$ gh api /repos/microsoft/apm-action/git/tags/6aa87520... --jq '.object.sha'
275e67418e97c26025852c7e91730cf4c11baf30   # <- now baked into lock files

Validation

  • gh aw compile: 5 workflows, 0 errors, 1 unrelated warning (push-to-pull-request-branch: target: "*" advisory on a different workflow, pre-existing).
  • grep -h "apm-action@" .github/workflows/*.lock.yml returns only the new v1.6.0 SHA.
  • No Python source touched -- ruff lint contract not applicable here.

Follow-ups (separate PRs)

  • The silent --format default flip in apm 0.12.0 should be called out in CHANGELOG.md as a breaking change.
  • Consider deciding (separate design discussion) whether apm unpack should learn the plugin layout, or whether the deprecation toward apm install <bundle> should be accelerated.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

ci(gh-aw): bump apm-action v1.5.0 -> v1.6.0 for plugin-bundle defenses
18b90a5 
The compiled gh-aw lock workflows pinned microsoft/apm-action@v1.5.0 by
commit SHA, which packs APM bundles with no explicit --format. After
apm 0.12.0 silently flipped 'apm pack' default --format from 'apm' to
'plugin', the resulting plugin-layout bundles are rejected by the
strict completeness check in 'apm unpack' (deployed_files lists
target-prefixed paths like .agents/skills/... that don't exist in the
plugin-native layout). Symptom: Triage Panel run 25280156338 failed
the agent job's restore step.

apm-action v1.6.0 defaults the bundle-format input to 'apm', passes
'--format apm' explicitly to 'apm pack', and refuses plugin-format
bundles at restore with a friendly error. The floating v1 tag already
points at v1.6.0, but lock workflows pin the literal SHA, so a
recompile is required to pick up the new resolution.

Bumps the shared workflow's pin from v1.5.0 -> v1.6.0 and recompiles
all gh-aw workflows. Resolved SHA: 275e67418e97c26025852c7e91730cf4c11baf30.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 3, 2026 17:41
Copilot AI reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Bumps the GitHub Agentic Workflows (gh-aw) APM shared workflow from microsoft/apm-action@v1.5.0 to v1.6.0 and recompiles the affected lock workflows so the new commit SHA is pinned, restoring the Triage / PR Review panel workflows after the apm pack default format change.

Changes:

  • Update .github/workflows/shared/apm.md to use microsoft/apm-action@v1.6.0.
  • Regenerate the gh-aw compiled lock workflows to pin microsoft/apm-action to 275e67418e97c26025852c7e91730cf4c11baf30 (v1.6.0).
  • Extend .github/aw/actions-lock.json with the new microsoft/apm-action@v1.6.0 entry.
Show a summary per file
File Description
.github/workflows/shared/apm.md Updates the shared gh-aw APM workflow to use microsoft/apm-action@v1.6.0.
.github/workflows/triage-panel.lock.yml Recompiled lock workflow to pin microsoft/apm-action to the v1.6.0 SHA.
.github/workflows/pr-review-panel.lock.yml Recompiled lock workflow to pin microsoft/apm-action to the v1.6.0 SHA.
.github/aw/actions-lock.json Adds the microsoft/apm-action@v1.6.0 tag-to-SHA mapping used by gh-aw compilation.

Copilot's findings

  • Files reviewed: 4/4 changed files
  • Comments generated: 0

@danielmeppiel danielmeppiel merged commit 0705920 into main May 3, 2026
21 checks passed
@danielmeppiel danielmeppiel deleted the fix/gh-aw-bump-apm-action-v1.6 branch May 3, 2026 17:58
@danielmeppiel danielmeppiel mentioned this pull request May 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sergio-sisternes-epam sergio-sisternes-epam Awaiting requested review from sergio-sisternes-epam sergio-sisternes-epam is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielmeppiel