[plan] Add bounds validation after sortPinsByVersion in GetActionPinByRepo

[github-actions]

Objective

Add defensive validation after sortPinsByVersion() to ensure the sorted slice is non-empty before accessing the first element.

Context

Source: Sergo Analysis Report #14696 - Critical Issue #2
Location: pkg/workflow/action_pins.go:432
Severity: Critical

The GetActionPinByRepo() function trusts that sortPinsByVersion() preserves slice length, but there's no validation that the sorting function behaves correctly. If sortPinsByVersion() has a bug or returns an empty slice unexpectedly, this causes a panic.

Current Code (Lines 428-432)

sortedPins := sortPinsByVersion(matchingPins)

// Return the latest version (first after sorting)
return sortedPins[0], true  // ❌ What if sortPinsByVersion returns empty?

Proposed Fix

sortedPins := sortPinsByVersion(matchingPins)
if len(sortedPins) == 0 {
    actionPinsLog.Printf("WARNING: sortPinsByVersion returned empty slice for repo %s", repo)
    return ActionPin{}, false
}
return sortedPins[0], true

Acceptance Criteria

• Add length check after sortPinsByVersion() call
• Add warning log if sorted slice is empty
• Return zero value and false on empty slice
• Run existing tests to ensure no behavior changes
• No new test failures introduced
  Related to [sergo] Initialization Safety & Type Guards Analysis - 2026-02-09 #14696

AI generated by Plan Command for #14696

• expires on Feb 12, 2026, 1:07 AM UTC

[github-actions]

This issue was automatically closed because it expired on 2026-02-12T01:07:45.712Z.

Closed by Workflow