[P8.1] Recompile triage-incoming-issues.lock.yml to pick up gh-aw v0.79.8 + checkout v6.0.3

[frankbria]

Background

Dependabot PR #309 (github-actions group) tried to bump three actions. PR #326 took the two safe ones (anthropics/claude-code-action → v1.0.148, plus a fix to the gh-aw Dependabot ignore glob). This issue tracks the part that cannot be done by bumping a pin: the compiled gh-aw lock file.

What needs to happen

.github/workflows/triage-incoming-issues.lock.yml is a compiled artifact. Its github/gh-aw-actions/setup pin is version-locked to the gh-aw compiler that generated it (currently v0.77.5). Dependabot's attempt to bump it to v0.79.8 desynced the runtime .cjs scripts from the compiled body and tripped the guard:

not ok 995 gh-aw lock files keep setup pins at the compiler version
  triage-incoming-issues.lock.yml [compiler v0.77.5]:
    uses: github/gh-aw-actions/setup@c0338fe… # v0.79.8
  Fix by recompiling ('gh aw compile'), never by bumping the pin.

The fix is to upgrade the gh-aw toolchain and recompile, not to hand-edit the pin:

1. Update the local gh-aw extension to v0.79.8 (gh extension upgrade aw or equivalent).
2. Recompile the source workflow: gh aw compile (regenerates triage-incoming-issues.lock.yml with the matching setup pin and compiler_version metadata).
3. The recompile will also naturally pick up actions/checkout 6.0.2 → 6.0.3 inside the lock file — its only remaining 6.0.2 reference. (The hand-maintained workflows are already on 6.0.3.)
4. Verify guards pass: bats tests/unit/test_workflow_sha_pinning.bats.
5. Heads-up: committing a recompiled .lock.yml may trip the local pre-commit secret scanner on the manifest line (names + SHAs, not values) — verify there are no real secrets, then commit (see prior gh-aw recompile PRs).

Notes

• Do not simply bump the pin — the guard exists precisely to prevent that desync (Issue Upgrade gh-aw extension and recompile triage-incoming-issues.lock.yml (currently version-locked at v0.46.5) #287, PR chore(deps): bump the github-actions group across 1 directory with 7 updates #283).
• With PR ci(deps): bump claude-code-action to v1.0.148; fix gh-aw dependabot ignore #326's ignore-glob fix in place, Dependabot should stop re-proposing this bump.
• Once this lands, Dependabot PR ci(deps): bump the github-actions group with 3 updates #309 can be closed (superseded by ci(deps): bump claude-code-action to v1.0.148; fix gh-aw dependabot ignore #326 + this issue).

[coderabbitai]

🔗 Related PRs

#281 - ci(workflows): pin GitHub Actions to commit SHAs (#275) [merged]
#288 - ci(workflows): recompile triage workflow with gh-aw v0.77.5 (#287) [merged]
#292 - fix(triage): switch issue-triage workflow to Claude engine (#272, #290) [merged]
#308 - feat(ci): publish ralph-sandbox image to GHCR on release tags (#298) [merged]
#326 - ci(deps): bump claude-code-action to v1.0.148; fix gh-aw dependabot ignore [closed]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[github-actions]

🏷️ Triage: maintenance / infrastructure chore

Thanks for the detailed write-up. Here's how this issue categorizes:

• Category: Infrastructure / dependency-maintenance task (recompile a compiled gh-aw lock artifact to pick up the v0.79.8 toolchain + actions/checkout 6.0.3). This is intentional maintenance, not a bug — the test_workflow_sha_pinning.bats guard tripping is the correct, intended behavior protecting against a runtime .cjs ↔ compiled-body desync, exactly as designed in Upgrade gh-aw extension and recompile triage-incoming-issues.lock.yml (currently version-locked at v0.46.5) #287 / chore(deps): bump the github-actions group across 1 directory with 7 updates #283.
• Not a duplicate: this is the canonical tracking issue for the part of Dependabot PR ci(deps): bump the github-actions group with 3 updates #309 that can't be resolved by bumping a pin. It supersedes that slice of ci(deps): bump the github-actions group with 3 updates #309 (alongside ci(deps): bump claude-code-action to v1.0.148; fix gh-aw dependabot ignore #326), rather than duplicating another open issue.
• Not a feature request and not unclear — the body already lays out a precise, ordered remediation plan.

Labels: already correctly tagged infrastructure + dependencies; no triage label change needed. None of the auto-triage labels (bug / enhancement / needs-info / documentation) apply to a chore like this, so I'm intentionally not adding one.

Recommended next steps (per the issue body):

1. Upgrade the gh-aw extension to v0.79.8 and recompile with gh aw compile — do not hand-edit the setup pin.
2. Confirm guards pass: bats tests/unit/test_workflow_sha_pinning.bats.
3. After this lands, close Dependabot PR ci(deps): bump the github-actions group with 3 updates #309 as superseded by ci(deps): bump claude-code-action to v1.0.148; fix gh-aw dependabot ignore #326 + this issue.

No automated action taken beyond this triage note.

Generated by Issue Triage Assistant for issue #327 · opus48 597.8K · ◷