Skip to content

reference legacy GHA internal call like external#111

Open
sarasvoss wants to merge 1 commit intomainfrom
legacy-stable-fix
Open

reference legacy GHA internal call like external#111
sarasvoss wants to merge 1 commit intomainfrom
legacy-stable-fix

Conversation

@sarasvoss
Copy link
Contributor

@sarasvoss sarasvoss commented Mar 9, 2026

PR Summary

Jira: https://opensesame.atlassian.net/browse/CORE-XXXX

Description of Changes

Versioning

⚠️ Components in this repo are used by multiple repos and teams. Breaking changes to non-versioned components are high-risk. Always apply correct versioning to versioned components to ensure safe, controlled updates.

Versioned components live under ./github/actions

Does this PR modify a versioned component?

  • No — label this PR with version:untracked
  • Yes
    • Add a version label: version:<component-name>/X.Y.Z
    • Ensure the component’s CHANGELOG.md includes a ## X.Y.Z entry
    • Use version:untracked only if changes do not alter behavior, inputs, or outputs

If version labels are incorrect or missing, automated version validation will fail and block merge.

Dependencies of PR

Testing

Copilot AI review requested due to automatic review settings March 9, 2026 15:45
@sarasvoss sarasvoss requested a review from a team as a code owner March 9, 2026 15:45
@sarasvoss sarasvoss added the version:untracked Used to validate PRs with no versioned component contract changes label Mar 9, 2026
@github-actions
Copy link

github-actions bot commented Mar 9, 2026

Tags

  • No Tags will be created on main

Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Terraform validate/plan “env roots” reusable workflow to call the legacy-stable reusable workflow via a fully-qualified owner/repo@ref reference (mirroring how external consumers reference it), and includes a package-lock.json refresh that bumps several transitive dependencies.

Changes:

  • Switch .github/workflows/tf_validate_plan_env_roots.yml from a local reusable workflow reference to OpenSesame/core-github-actions/...@legacy-stable.
  • Refresh package-lock.json, bumping transitive packages (e.g., minimatch, ajv, brace-expansion) and removing some "peer": true markers.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/tf_validate_plan_env_roots.yml Points the env-roots workflow to the legacy-stable reusable workflow via external-style reference.
package-lock.json Updates transitive dependency versions/metadata as part of a lockfile regeneration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/tf_validate_plan_env_roots.yml
Comment on lines 33 to 37
TF-Validate-Plan-Roots:
name: TF Validate/Plan ENV Roots
uses: ./.github/workflows/tf_validate_plan_single_root.yml
uses: OpenSesame/core-github-actions/.github/workflows/tf_validate_plan_single_root.yml@legacy-stable
strategy:
fail-fast: false # continues to run jobs even if one fails
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This job now calls a reusable workflow via uses: but the workflow doesn't declare permissions. Other callers (e.g., .github/workflows/deploy_environment.yml) explicitly grant id-token: write for the Terraform plan workflow; without equivalent permissions here, the called workflow may not be able to request an OIDC token (common failure when using aws-actions/configure-aws-credentials). Consider adding an explicit permissions block (at least id-token: write and contents: read) to this workflow or to the TF-Validate-Plan-Roots job so token permissions are well-defined for downstream callers.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

version:untracked Used to validate PRs with no versioned component contract changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sarasvoss