Skip hardcoded action pin fallback when GH_HOST is a non-github.qkg1.top host

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

.changeset/patch-skip-hardcoded-pins-on-ghe-host.md

@@ -98,6 +98,11 @@ type PinContext struct {
 	Warnings map[string]bool
 	// RecordResolutionFailure receives unresolved pinning failures for auditing.
 	RecordResolutionFailure func(f ResolutionFailure)
+	// SkipHardcodedFallback suppresses the non-strict hardcoded-pin fallback that
+	// fires when dynamic resolution fails. Set this when GH_HOST is configured to a
+	// non-github.qkg1.top host: the dynamic resolver will query the wrong host and fail,
+	// so silently falling back to bundled pins would produce unverified SHA pins.
+	SkipHardcodedFallback bool
 }
 
 var (
@@ -376,6 +381,16 @@ func logDynamicResolutionSkipped(hasResolver, isAlreadySHA bool) {
 
 func resolveActionPinFromHardcodedPins(actionRepo, version string, isAlreadySHA bool, ctx *PinContext) (string, bool) {
 	actionPinsLog.Printf("Falling back to hardcoded pins for %s@%s", actionRepo, version)
+
+	// When the caller is targeting a non-github.qkg1.top host (e.g. GHES/GHEC), the
+	// dynamic resolver already failed because it queried the wrong host.  Silently
+	// falling back to bundled pins in that case produces unverified SHA pins and
+	// masks the real problem, so skip this fallback entirely.
+	if ctx.SkipHardcodedFallback {
+		actionPinsLog.Printf("SkipHardcodedFallback set, skipping hardcoded pin lookup for %s@%s", actionRepo, version)
+		return "", false
+	}
+
 	matchingPins := GetActionPinsByRepo(actionRepo)
 	if len(matchingPins) == 0 {
 		actionPinsLog.Printf("No hardcoded pins found for %s", actionRepo)

pkg/actionpins/actionpins.go

@@ -218,3 +218,25 @@ func TestResolveExactHardcodedPin_BySHA(t *testing.T) {
 	require.True(t, ok, "Expected exact SHA match to resolve")
 	assert.Contains(t, result, "sha-v5", "Expected result to include matched SHA")
 }
+
+func TestResolveActionPinFromHardcodedPins_SkipHardcodedFallback(t *testing.T) {
+	t.Run("returns false immediately when SkipHardcodedFallback is set", func(t *testing.T) {
+		ctx := &PinContext{SkipHardcodedFallback: true, Warnings: make(map[string]bool)}
+
+		// actions/checkout has hardcoded pins, but SkipHardcodedFallback should prevent use
+		result, ok := resolveActionPinFromHardcodedPins("actions/checkout", "v4", false, ctx)
+
+		assert.False(t, ok, "Expected SkipHardcodedFallback to prevent hardcoded pin lookup")
+		assert.Empty(t, result, "Expected no pinned result when SkipHardcodedFallback is set")
+	})
+
+	t.Run("allows hardcoded pins when SkipHardcodedFallback is not set", func(t *testing.T) {
+		ctx := &PinContext{SkipHardcodedFallback: false, Warnings: make(map[string]bool)}
+
+		// actions/checkout has hardcoded pins and should resolve
+		result, ok := resolveActionPinFromHardcodedPins("actions/checkout", "v4", false, ctx)
+
+		assert.True(t, ok, "Expected hardcoded pins to be consulted when SkipHardcodedFallback is false")
+		assert.NotEmpty(t, result, "Expected a pinned result when SkipHardcodedFallback is not set")
+	})
+}

pkg/actionpins/actionpins_internal_test.go

@@ -628,6 +628,13 @@ func (d *WorkflowData) PinContext() *actionpins.PinContext {
 	if d.ActionResolver != nil {
 		pinCtx.Resolver = d.ActionResolver
 	}
+	// When GH_HOST is set to a non-github.qkg1.top host (GHES/GHEC), the action
+	// resolver targets that host and fails to resolve actions/* repos which live
+	// on github.com.  Silently falling back to bundled hardcoded pins in that
+	// case produces unverified SHA pins, so disable the fallback.
+	if ghHost := os.Getenv("GH_HOST"); ghHost != "" && ghHost != "github.com" {
+		pinCtx.SkipHardcodedFallback = true
+	}
 	return pinCtx
 }
 

pkg/workflow/compiler_types.go

@@ -0,0 +1,49 @@
+//go:build !integration
+
+package workflow
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestWorkflowData_PinContext_SkipHardcodedFallback(t *testing.T) {
+	t.Run("sets SkipHardcodedFallback when GH_HOST is a non-github.qkg1.top host", func(t *testing.T) {
+		t.Setenv("GH_HOST", "myorg.ghe.com")
+
+		d := &WorkflowData{}
+		ctx := d.PinContext()
+
+		require.NotNil(t, ctx)
+		assert.True(t, ctx.SkipHardcodedFallback, "Expected SkipHardcodedFallback to be true when GH_HOST is a GHE host")
+	})
+
+	t.Run("does not set SkipHardcodedFallback when GH_HOST is github.com", func(t *testing.T) {
+		t.Setenv("GH_HOST", "github.com")
+
+		d := &WorkflowData{}
+		ctx := d.PinContext()
+
+		require.NotNil(t, ctx)
+		assert.False(t, ctx.SkipHardcodedFallback, "Expected SkipHardcodedFallback to be false when GH_HOST is github.com")
+	})
+
+	t.Run("does not set SkipHardcodedFallback when GH_HOST is not set", func(t *testing.T) {
+		require.NoError(t, os.Unsetenv("GH_HOST"))
+
+		d := &WorkflowData{}
+		ctx := d.PinContext()
+
+		require.NotNil(t, ctx)
+		assert.False(t, ctx.SkipHardcodedFallback, "Expected SkipHardcodedFallback to be false when GH_HOST is not set")
+	})
+
+	t.Run("returns nil for nil WorkflowData", func(t *testing.T) {
+		var d *WorkflowData
+		ctx := d.PinContext()
+		assert.Nil(t, ctx)
+	})
+}