chore: sync actions from gh-aw@v0.67.2 (#70)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

setup/index.js

@@ -3,32 +3,17 @@
 
 const { spawnSync } = require("child_process");
 const path = require("path");
+const { getActionInput } = require("./js/action_input_utils.cjs");
 
 // Record start time for the OTLP span before any setup work begins.
 const setupStartMs = Date.now();
 
-// GitHub Actions sets INPUT_* env vars for JavaScript actions by converting
-// input names to uppercase and replacing hyphens with underscores. Explicitly
-// normalize inputs with hyphens in their names because some runner versions
-// preserve the original hyphen instead of converting it to an underscore.
-const safeOutputCustomTokens =
-  process.env["INPUT_SAFE_OUTPUT_CUSTOM_TOKENS"] ||
-  process.env["INPUT_SAFE-OUTPUT-CUSTOM-TOKENS"] ||
-  "false";
-
-// Normalize trace-id input: handle both INPUT_TRACE_ID (underscore, standard)
-// and INPUT_TRACE-ID (hyphen, used by some runner versions).
-const inputTraceId =
-  process.env["INPUT_TRACE_ID"] ||
-  process.env["INPUT_TRACE-ID"] ||
-  "";
-
-// Normalize job-name input: handle both INPUT_JOB_NAME (underscore, standard)
-// and INPUT_JOB-NAME (hyphen, used by some runner versions).
-const inputJobName =
-  process.env["INPUT_JOB_NAME"] ||
-  process.env["INPUT_JOB-NAME"] ||
-  "";
+// GitHub Actions converts input names to INPUT_<UPPER_UNDERSCORE>, but some
+// runner versions preserve the original hyphen form. getActionInput() handles
+// both forms automatically.
+const safeOutputCustomTokens = getActionInput("SAFE_OUTPUT_CUSTOM_TOKENS") || "false";
+const inputTraceId = getActionInput("TRACE_ID");
+const inputJobName = getActionInput("JOB_NAME");
 
 const result = spawnSync(path.join(__dirname, "setup.sh"), [], {
   stdio: "inherit",

setup/js/action_conclusion_otlp.cjs

@@ -30,6 +30,7 @@
  */
 
 const sendOtlpSpan = require("./send_otlp_span.cjs");
+const { getActionInput } = require("./action_input_utils.cjs");
 
 /**
  * Send the OTLP job-conclusion span.  Non-fatal: all errors are silently
@@ -48,9 +49,7 @@ async function run() {
   const rawJobStartMs = parseInt(process.env.GITHUB_AW_OTEL_JOB_START_MS || "0", 10);
   const startMs = rawJobStartMs > 0 ? rawJobStartMs : undefined;
 
-  // Normalize job-name input: handle both INPUT_JOB_NAME (underscore, standard)
-  // and INPUT_JOB-NAME (hyphen, used by some runner versions).
-  const jobName = (process.env.INPUT_JOB_NAME || process.env["INPUT_JOB-NAME"] || "").trim();
+  const jobName = getActionInput("JOB_NAME");
   const spanName = jobName ? `gh-aw.${jobName}.conclusion` : "gh-aw.job.conclusion";
   console.log(`[otlp] sending conclusion span "${spanName}" to ${endpoint}`);
 

setup/js/action_input_utils.cjs

@@ -0,0 +1,20 @@
+// @ts-check
+"use strict";
+
+/**
+ * Read a GitHub Actions input value, handling both the standard underscore form
+ * (INPUT_<NAME>) and the hyphen form (INPUT_<NAM-E>) preserved by some runner versions.
+ *
+ * GitHub Actions converts input names to INPUT_<UPPER_UNDERSCORE> by default, but
+ * some runner versions preserve the original hyphen from the input name. Checking
+ * both forms ensures the value is resolved regardless of the runner version.
+ *
+ * @param {string} name - Input name in UPPER_UNDERSCORE form (e.g. "JOB_NAME")
+ * @returns {string} Trimmed input value, or "" if not set.
+ */
+function getActionInput(name) {
+  const hyphenName = name.replace(/_/g, "-");
+  return (process.env[`INPUT_${name}`] || process.env[`INPUT_${hyphenName}`] || "").trim();
+}
+
+module.exports = { getActionInput };

setup/js/action_setup_otlp.cjs

@@ -28,6 +28,7 @@
 const path = require("path");
 const { appendFileSync } = require("fs");
 const { nowMs } = require("./performance_now.cjs");
+const { getActionInput } = require("./action_input_utils.cjs");
 
 /**
  * Send the OTLP job-setup span and propagate trace context via GITHUB_OUTPUT /
@@ -48,24 +49,17 @@ async function run() {
   // Explicitly read INPUT_TRACE_ID and pass it as options.traceId so the
   // activation job's trace ID is used even when process.env propagation
   // through GitHub Actions expression evaluation is unreliable.
-  // Also handle INPUT_TRACE-ID (with hyphen) in case the runner preserves
-  // the original input name hyphen instead of converting it to an underscore.
-  const inputTraceId = (process.env.INPUT_TRACE_ID || process.env["INPUT_TRACE-ID"] || "").trim().toLowerCase();
+  const inputTraceId = getActionInput("TRACE_ID").toLowerCase();
   if (inputTraceId) {
     console.log(`[otlp] INPUT_TRACE_ID=${inputTraceId} (will reuse activation trace)`);
   } else {
     console.log("[otlp] INPUT_TRACE_ID not set, a new trace ID will be generated");
   }
 
-  // Normalize job-name input: handle both INPUT_JOB_NAME (underscore, standard)
-  // and INPUT_JOB-NAME (hyphen, used by some runner versions).  Mirror the same
-  // two-key lookup that INPUT_TRACE_ID uses above so script-mode invocations
-  // (setup.sh → node action_setup_otlp.cjs) always resolve the job name even
-  // when the runner preserves the original hyphen in the env var name.
-  const inputJobName = (process.env.INPUT_JOB_NAME || process.env["INPUT_JOB-NAME"] || "").trim();
+  // Normalize to the canonical underscore form so sendJobSetupSpan (which
+  // reads process.env.INPUT_JOB_NAME) always finds the value.
+  const inputJobName = getActionInput("JOB_NAME");
   if (inputJobName) {
-    // Normalise to the canonical underscore form so sendJobSetupSpan (which
-    // reads process.env.INPUT_JOB_NAME) always finds the value.
     process.env.INPUT_JOB_NAME = inputJobName;
   }
 
@@ -104,7 +98,7 @@ async function run() {
     }
     // Propagate setup-end timestamp so the conclusion span can measure actual
     // job execution duration (setup-end → conclusion-start).
-    const setupEndMs = Math.round(nowMs());
+    const setupEndMs = Math.floor(nowMs());
     appendFileSync(process.env.GITHUB_ENV, `GITHUB_AW_OTEL_JOB_START_MS=${setupEndMs}\n`);
     console.log(`[otlp] GITHUB_AW_OTEL_JOB_START_MS written to GITHUB_ENV`);
   }

setup/js/add_reviewer.cjs

@@ -19,30 +19,24 @@ const { COPILOT_REVIEWER_BOT } = require("./constants.cjs");
  * @type {HandlerFactoryFunction}
  */
 async function main(config = {}) {
-  // Extract configuration
-  const allowedReviewers = config.allowed || [];
-  const maxCount = config.max || 10;
+  const allowedReviewers = config.allowed ?? [];
+  const maxCount = config.max ?? 10;
   const githubClient = await createAuthenticatedGitHubClient(config);
-
-  // Check if we're in staged mode
   const isStaged = isStagedMode(config);
 
   core.info(`Add reviewer configuration: max=${maxCount}`);
   if (allowedReviewers.length > 0) {
     core.info(`Allowed reviewers: ${allowedReviewers.join(", ")}`);
   }
 
-  // Track how many items we've processed for max limit
   let processedCount = 0;
 
   /**
-   * Message handler function that processes a single add_reviewer message
    * @param {Object} message - The add_reviewer message to process
    * @param {Object} resolvedTemporaryIds - Map of temporary IDs to {repo, number}
    * @returns {Promise<Object>} Result with success/error status
    */
   return async function handleAddReviewer(message, resolvedTemporaryIds) {
-    // Check if we've hit the max limit
     if (processedCount >= maxCount) {
       core.warning(`Skipping add_reviewer: max count of ${maxCount} reached`);
       return {
@@ -53,7 +47,6 @@ async function main(config = {}) {
 
     processedCount++;
 
-    // Determine PR number using helper
     const { prNumber, error } = getPullRequestNumber(message, context);
 
     if (error) {
@@ -64,7 +57,7 @@ async function main(config = {}) {
       };
     }
 
-    const requestedReviewers = message.reviewers || [];
+    const requestedReviewers = message.reviewers ?? [];
     core.info(`Requested reviewers: ${JSON.stringify(requestedReviewers)}`);
 
     // Use shared helper to filter, sanitize, dedupe, and limit

setup/js/check_workflow_timestamp_api.cjs

@@ -45,16 +45,17 @@ async function main() {
 
   // Determine workflow source repository from the workflow ref for cross-repo support.
   //
-  // For cross-repo workflow_call invocations (reusable workflows called from another repo),
-  // the GITHUB_WORKFLOW_REF env var always points to the TOP-LEVEL CALLER's workflow, not
-  // the reusable workflow being executed. This causes the script to look for lock files in
-  // the wrong repository.
+  // For cross-repo reusable workflow invocations, both GITHUB_WORKFLOW_REF (env var) and
+  // ${{ github.workflow_ref }} (injected as GH_AW_CONTEXT_WORKFLOW_REF) resolve to the
+  // TOP-LEVEL CALLER's workflow, not the reusable workflow being executed. This causes the
+  // script to look for lock files in the wrong repository when used alone.
   //
-  // The GitHub Actions expression ${{ github.workflow_ref }} is injected as GH_AW_CONTEXT_WORKFLOW_REF
-  // by the compiler and correctly identifies the CURRENT reusable workflow's ref even in
-  // cross-repo workflow_call scenarios. We prefer it over GITHUB_WORKFLOW_REF when available.
+  // The reliable fix is the referenced_workflows API lookup below, which identifies the
+  // callee's repo/ref from the caller's run object. GH_AW_CONTEXT_WORKFLOW_REF is only
+  // used as a fallback when the API lookup is unavailable or finds no matching entry.
   //
-  // Ref: https://github.com/github/gh-aw/issues/23935
+  // Refs: https://github.com/github/gh-aw/issues/23935
+  //       https://github.com/github/gh-aw/issues/24422
   const workflowEnvRef = process.env.GH_AW_CONTEXT_WORKFLOW_REF || process.env.GITHUB_WORKFLOW_REF || "";
   const currentRepo = process.env.GITHUB_REPOSITORY || `${context.repo.owner}/${context.repo.repo}`;
 
@@ -82,14 +83,18 @@ async function main() {
     ref = undefined;
   }
 
-  // For workflow_call events, use referenced_workflows from the GitHub API run object to
-  // resolve the callee (reusable workflow) repo and ref.
+  // Attempt referenced_workflows API lookup to detect cross-repo callee repo/ref.
+  //
+  // IMPORTANT: GITHUB_EVENT_NAME inside a reusable workflow reflects the ORIGINAL trigger
+  // event (e.g., "push", "issues"), NOT "workflow_call". We therefore cannot rely on event
+  // name to detect cross-repo scenarios.
+  //
+  // Similarly, GH_AW_CONTEXT_WORKFLOW_REF (${{ github.workflow_ref }}) resolves to the
+  // CALLER's workflow ref, not the callee's. It is used as a fallback only when the API
+  // lookup is unavailable or finds no matching entry.
   //
   // Resolution priority:
   //   1. referenced_workflows[].sha  — immutable commit SHA from the callee repo (most precise).
-  //      GH_AW_CONTEXT_WORKFLOW_REF (${{ github.workflow_ref }}) correctly identifies the callee
-  //      in most cases, but referenced_workflows carries the pinned sha which won't drift if a
-  //      branch ref moves during a long-running job.
   //   2. referenced_workflows[].ref  — branch/tag ref from the callee (fallback when sha absent).
   //   3. GH_AW_CONTEXT_WORKFLOW_REF  — injected by the compiler; used when the API is unavailable
   //      or when no matching entry is found in referenced_workflows.
@@ -98,60 +103,66 @@ async function main() {
   // are set to the caller's run ID and repo. The caller's run object includes a
   // referenced_workflows array listing the callee's exact path, sha, and ref.
   //
-  // GITHUB_EVENT_NAME and GITHUB_RUN_ID are always set in GitHub Actions environments.
-  // context.eventName / context.runId are fallbacks for environments where env vars are absent.
+  // Short-circuit: if the env workflow ref already ends with the current workflow file,
+  // the env vars already correctly identify the source (same-repo or non-reusable run).
+  // Skip the API call to avoid unnecessary rate-limit usage and permission noise.
+  //
+  // GITHUB_RUN_ID is always set in GitHub Actions environments.
+  // context.runId is a fallback for environments where env vars are absent.
   //
-  // Ref: https://github.com/github/gh-aw/issues/24422
-  const eventName = process.env.GITHUB_EVENT_NAME || context.eventName;
-  if (eventName === "workflow_call") {
-    const runId = parseInt(process.env.GITHUB_RUN_ID || String(context.runId), 10);
-    if (Number.isFinite(runId)) {
-      const [runOwner, runRepo] = currentRepo.split("/");
-      try {
-        core.info(`workflow_call event detected, resolving callee repo via referenced_workflows API (run ${runId})`);
-        const runResponse = await github.rest.actions.getWorkflowRun({
-          owner: runOwner,
-          repo: runRepo,
-          run_id: runId,
-        });
-
-        const referencedWorkflows = runResponse.data.referenced_workflows || [];
-        core.info(`Found ${referencedWorkflows.length} referenced workflow(s) in caller run`);
-
-        // Find the entry whose path matches the current workflow file.
-        // Path format: "org/repo/.github/workflows/file.lock.yml@ref"
-        // Using replace to robustly strip the optional @ref suffix before matching.
-        const matchingEntry = referencedWorkflows.find(wf => {
-          const pathWithoutRef = wf.path.replace(/@.*$/, "");
-          return pathWithoutRef.endsWith(`/.github/workflows/${workflowFile}`);
-        });
-
-        if (matchingEntry) {
-          const pathMatch = matchingEntry.path.match(GITHUB_REPO_PATH_RE);
-          if (pathMatch) {
-            owner = pathMatch[1];
-            repo = pathMatch[2];
-            // Prefer sha (immutable) over ref (branch/tag can drift) over path-parsed ref.
-            ref = matchingEntry.sha || matchingEntry.ref || pathMatch[3];
-            workflowRepo = `${owner}/${repo}`;
-            core.info(`Resolved callee repo from referenced_workflows: ${owner}/${repo} @ ${ref || "(default branch)"}`);
-            core.info(`  Referenced workflow path: ${matchingEntry.path}`);
-          }
-        } else {
-          core.info(`No matching entry in referenced_workflows for "${workflowFile}", falling back to GH_AW_CONTEXT_WORKFLOW_REF`);
+  // Refs: https://github.com/github/gh-aw/issues/24422
+  const runId = parseInt(process.env.GITHUB_RUN_ID || String(context.runId), 10);
+  const envRefWithoutAt = workflowEnvRef.replace(/@.*$/, "");
+  const envRefMatchesWorkflow = envRefWithoutAt.endsWith(`/.github/workflows/${workflowFile}`);
+
+  if (envRefMatchesWorkflow) {
+    core.info("Env workflow ref already identifies this workflow, skipping referenced_workflows API lookup");
+  } else if (Number.isFinite(runId)) {
+    const [runOwner, runRepo] = currentRepo.split("/");
+    try {
+      core.info(`Checking for cross-repo callee via referenced_workflows API (run ${runId})`);
+      const runResponse = await github.rest.actions.getWorkflowRun({
+        owner: runOwner,
+        repo: runRepo,
+        run_id: runId,
+      });
+
+      const referencedWorkflows = runResponse.data.referenced_workflows || [];
+      core.info(`Found ${referencedWorkflows.length} referenced workflow(s) in run`);
+
+      // Find the entry whose path matches the current workflow file.
+      // Path format: "org/repo/.github/workflows/file.lock.yml@ref"
+      // Using replace to robustly strip the optional @ref suffix before matching.
+      const matchingEntry = referencedWorkflows.find(wf => {
+        const pathWithoutRef = wf.path.replace(/@.*$/, "");
+        return pathWithoutRef.endsWith(`/.github/workflows/${workflowFile}`);
+      });
+
+      if (matchingEntry) {
+        const pathMatch = matchingEntry.path.match(GITHUB_REPO_PATH_RE);
+        if (pathMatch) {
+          owner = pathMatch[1];
+          repo = pathMatch[2];
+          // Prefer sha (immutable) over ref (branch/tag can drift) over path-parsed ref.
+          ref = matchingEntry.sha || matchingEntry.ref || pathMatch[3];
+          workflowRepo = `${owner}/${repo}`;
+          core.info(`Resolved callee repo from referenced_workflows: ${owner}/${repo} @ ${ref || "(default branch)"}`);
+          core.info(`  Referenced workflow path: ${matchingEntry.path}`);
         }
-      } catch (error) {
-        core.info(`Could not fetch referenced_workflows from API: ${getErrorMessage(error)}, falling back to GH_AW_CONTEXT_WORKFLOW_REF`);
+      } else {
+        core.info(`No matching entry in referenced_workflows for "${workflowFile}", falling back to GH_AW_CONTEXT_WORKFLOW_REF`);
       }
-    } else {
-      core.info("workflow_call event detected but run ID is unavailable or invalid, falling back to GH_AW_CONTEXT_WORKFLOW_REF");
+    } catch (error) {
+      core.info(`Could not fetch referenced_workflows from API: ${getErrorMessage(error)}, falling back to GH_AW_CONTEXT_WORKFLOW_REF`);
     }
+  } else {
+    core.info("Run ID is unavailable or invalid, falling back to GH_AW_CONTEXT_WORKFLOW_REF");
   }
 
   const contextWorkflowRef = process.env.GH_AW_CONTEXT_WORKFLOW_REF;
   core.info(`GITHUB_WORKFLOW_REF: ${process.env.GITHUB_WORKFLOW_REF || "(not set)"}`);
   if (contextWorkflowRef) {
-    core.info(`GH_AW_CONTEXT_WORKFLOW_REF: ${contextWorkflowRef} (used for source repo resolution)`);
+    core.info(`GH_AW_CONTEXT_WORKFLOW_REF: ${contextWorkflowRef} (available as env fallback)`);
   }
   core.info(`GITHUB_REPOSITORY: ${currentRepo}`);
   core.info(`Resolved source repo: ${owner}/${repo} @ ${ref || "(default branch)"}`);