Skip to content

Bump vendored shared/apm.md from microsoft/apm-action@v1.5.0 to @v1.6.0 #30561

Description

@danielmeppiel

Summary

The vendored copy of shared/apm.md at .github/workflows/shared/apm.md currently pins microsoft/apm-action@v1.5.0 (lines 14, 238, 304, 317, 331). The canonical source of truth in microsoft/apm has moved to @v1.6.0. Please re-vendor.

Why this matters

shared/apm.md is consumed at compile time by gh aw, so its pin gets baked into every generated lock file (e.g. *.lock.yml). Drift between the canonical and vendored copy means downstream agentic workflows lag behind upstream apm-action improvements until gh-aw bumps and re-releases.

What's in v1.6.0 vs v1.5.0

From the v1.6.0 release notes:

  • feat: bundle-format input + setup-only mode (microsoft/apm-action#31) — adds setup-only: true for callers that only need the APM CLI installed, and a bundle-format input to disambiguate plugin-format vs apm-format bundles. Neither input is required by the existing shared workflow, so the bump is backward-compatible.

This is a routine drift bump. No security fix is gated on it.

Related context

microsoft/apm#1148 reported APM falling back to unverified tar xzf --strip-components=1 extraction. Root cause was apm-action v1.4.1's restore mode skipping ensureApmInstalled(). That bug was already fixed in v1.5.0 (and is therefore not present in current gh-aw releases — v0.71.1 was the last release vendoring v1.4.1; v0.71.2 onward vendors v1.5.0). So this issue is not a follow-up to #1148 — it's a normal sync.

Suggested change

Update in a single PR:

  1. .github/workflows/shared/apm.md — replace 5 occurrences of microsoft/apm-action@v1.5.0 with @v1.6.0 (including the # apm-action pin: comment at line 14 used by the "compare these two lines" sync check).
  2. pkg/workflow/data/action_pins.json and pkg/actionpins/data/action_pins.json — add an entry for microsoft/apm-action@v1.6.0 (sha 6aa87520...) so the compiler can pin it.
  3. .github/aw/actions-lock.json — refresh accordingly.

Happy to send a PR if useful — just wanted to flag it from the upstream side. Thanks!

cc microsoft/apm maintainers via microsoft/apm#1148 for visibility.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions