Summary
After running gh aw update and gh aw compile with gh-aw v0.67.3, the actions-lock.json file ends up with two entries for github/gh-aw-actions/setup:
v0.67.1 — the runtime version the compiler hardcodes into compiled .lock.yml filesv0.67.3 — added by gh aw update but never referenced by any compiled workflow
"github/gh-aw-actions/setup@v0.67.1": {
"sha": "80471a493be8c528dd27daf73cd644242a7965e0"
},
"github/gh-aw-actions/setup@v0.67.3": {
"sha": "eef369c24101e76a5bf51579c26798b28f666813"
}Steps to reproduce
gh aw update — updates compiler to v0.67.3, adds v0.67.3 entries to actions-lock.jsongh aw compile — compiles all workflows, but emits v0.67.1 SHA pins in .lock.yml files, re-adding v0.67.1 to actions-lock.json- Result: two versions of the same action in the lock file, with the "latest" one unused
Manually removing the v0.67.1 entry and recompiling does not help — the compiler re-adds it.
Expected behavior
The compiler should either:
- Pin the same version it was updated to (v0.67.3) in compiled output, or
gh aw update should not add an entry for a version that the compiler will not use, orgh aw compile should prune stale/unreferenced entries from actions-lock.json
Environment
Summary
After running
gh aw updateandgh aw compilewith gh-aw v0.67.3, theactions-lock.jsonfile ends up with two entries forgithub/gh-aw-actions/setup:v0.67.1— the runtime version the compiler hardcodes into compiled.lock.ymlfilesv0.67.3— added bygh aw updatebut never referenced by any compiled workflowSteps to reproduce
gh aw update— updates compiler to v0.67.3, adds v0.67.3 entries toactions-lock.jsongh aw compile— compiles all workflows, but emitsv0.67.1SHA pins in.lock.ymlfiles, re-adding v0.67.1 toactions-lock.jsonManually removing the v0.67.1 entry and recompiling does not help — the compiler re-adds it.
Expected behavior
The compiler should either:
gh aw updateshould not add an entry for a version that the compiler will not use, orgh aw compileshould prune stale/unreferenced entries fromactions-lock.jsonEnvironment