Summary
The vendored copy of shared/apm.md at .github/workflows/shared/apm.md currently pins microsoft/apm-action@v1.5.0 (lines 14, 238, 304, 317, 331). The canonical source of truth in microsoft/apm has moved to @v1.6.0. Please re-vendor.
Why this matters
shared/apm.md is consumed at compile time by gh aw, so its pin gets baked into every generated lock file (e.g. *.lock.yml). Drift between the canonical and vendored copy means downstream agentic workflows lag behind upstream apm-action improvements until gh-aw bumps and re-releases.
What's in v1.6.0 vs v1.5.0
From the v1.6.0 release notes:
feat: bundle-format input + setup-only mode (microsoft/apm-action#31) — adds setup-only: true for callers that only need the APM CLI installed, and a bundle-format input to disambiguate plugin-format vs apm-format bundles. Neither input is required by the existing shared workflow, so the bump is backward-compatible.
This is a routine drift bump. No security fix is gated on it.
Related context
microsoft/apm#1148 reported APM falling back to unverified tar xzf --strip-components=1 extraction. Root cause was apm-action v1.4.1's restore mode skipping ensureApmInstalled(). That bug was already fixed in v1.5.0 (and is therefore not present in current gh-aw releases — v0.71.1 was the last release vendoring v1.4.1; v0.71.2 onward vendors v1.5.0). So this issue is not a follow-up to #1148 — it's a normal sync.
Suggested change
Update in a single PR:
.github/workflows/shared/apm.md — replace 5 occurrences of microsoft/apm-action@v1.5.0 with @v1.6.0 (including the # apm-action pin: comment at line 14 used by the "compare these two lines" sync check).
pkg/workflow/data/action_pins.json and pkg/actionpins/data/action_pins.json — add an entry for microsoft/apm-action@v1.6.0 (sha 6aa87520...) so the compiler can pin it.
.github/aw/actions-lock.json — refresh accordingly.
Happy to send a PR if useful — just wanted to flag it from the upstream side. Thanks!
cc microsoft/apm maintainers via microsoft/apm#1148 for visibility.
Summary
The vendored copy of
shared/apm.mdat.github/workflows/shared/apm.mdcurrently pinsmicrosoft/apm-action@v1.5.0(lines 14, 238, 304, 317, 331). The canonical source of truth in microsoft/apm has moved to@v1.6.0. Please re-vendor.Why this matters
shared/apm.mdis consumed at compile time bygh aw, so its pin gets baked into every generated lock file (e.g.*.lock.yml). Drift between the canonical and vendored copy means downstream agentic workflows lag behind upstream apm-action improvements until gh-aw bumps and re-releases.What's in v1.6.0 vs v1.5.0
From the v1.6.0 release notes:
feat: bundle-format input + setup-only mode(microsoft/apm-action#31) — addssetup-only: truefor callers that only need the APM CLI installed, and abundle-formatinput to disambiguate plugin-format vs apm-format bundles. Neither input is required by the existing shared workflow, so the bump is backward-compatible.This is a routine drift bump. No security fix is gated on it.
Related context
microsoft/apm#1148 reported APM falling back to unverified
tar xzf --strip-components=1extraction. Root cause was apm-action v1.4.1's restore mode skippingensureApmInstalled(). That bug was already fixed in v1.5.0 (and is therefore not present in currentgh-awreleases —v0.71.1was the last release vendoring v1.4.1; v0.71.2 onward vendors v1.5.0). So this issue is not a follow-up to #1148 — it's a normal sync.Suggested change
Update in a single PR:
.github/workflows/shared/apm.md— replace 5 occurrences ofmicrosoft/apm-action@v1.5.0with@v1.6.0(including the# apm-action pin:comment at line 14 used by the "compare these two lines" sync check).pkg/workflow/data/action_pins.jsonandpkg/actionpins/data/action_pins.json— add an entry formicrosoft/apm-action@v1.6.0(sha6aa87520...) so the compiler can pin it..github/aw/actions-lock.json— refresh accordingly.Happy to send a PR if useful — just wanted to flag it from the upstream side. Thanks!
cc microsoft/apm maintainers via microsoft/apm#1148 for visibility.