Summary

When the compiler cannot dynamically resolve action tags (e.g., network/auth issues reaching github.com from a GHE environment), it falls back to a hardcoded pin table. Both actions/github-script@v9 and actions/github-script@v8 are pinned to the same SHA — the v9.0.0 commit.

Observed behavior

⚠ Unable to resolve actions/github-script@v9 dynamically, using hardcoded pin for actions/github-script@v9.0.0
⚠ Unable to resolve actions/github-script@v8 dynamically, using hardcoded pin for actions/github-script@v9.0.0

Both references get pinned to 3a2844b7e9c422d3c10d287c895573f7108da1b3.

Expected behavior

actions/github-script@v8 should pin to its correct SHA: ed597411d8f924073f98dfc5c65a23a2325f34cd.

Verification

$ git ls-remote --tags https://github.com/actions/github-script.git | grep -E "v[89]"
ed597411d8f924073f98dfc5c65a23a2325f34cd   refs/tags/v8
ed597411d8f924073f98dfc5c65a23a2325f34cd   refs/tags/v8.0.0
373c709c69115d41ff229c7e5df9f8788daa9553   refs/tags/v9
d746ffe35508b1917358783b479e04febd2b8f71   refs/tags/v9.0.0
3a2844b7e9c422d3c10d287c895573f7108da1b3   refs/tags/v9.0.0^{}

The v8 tag points to ed597411..., not 3a2844b7....

Impact

Low — v9 is backward-compatible for typical usage. But the lockfile records an incorrect SHA for @v8, which could cause confusion during security audits or if breaking changes are introduced in a future v9.x.

Environment

• gh aw compiled locally on Windows against a GHE instance (itpie.ghe.com)
• Dynamic resolution fails (likely because the compiler can't reach github.com or lacks a token for it)

This bug report was drafted with the assistance of GitHub Copilot.