From b002c214350a75006a4d418aa35f5c3db22523ae Mon Sep 17 00:00:00 2001
From: Dmitrii Creed <creeed22@gmail.com>
Date: Tue, 30 Jun 2026 13:48:07 +0400
Subject: [PATCH] fix(actions): pin github-actions runtime image to the release
 version

The four composite actions (deploy-client-stack, provision-parent-stack,
cancel-stack, destroy) hardcoded image docker://simplecontainer/github-actions:latest.

A Docker-based action's image field is a parse-time literal with no expression
interpolation, so pinning the action git ref (e.g. @2026.6.14) only pinned the
thin action.yml wrapper. The runtime image still floated to whatever :latest
pointed at. Any release that re-tags :latest therefore silently changed the
runtime for every downstream consumer that believed it was pinned. This already
bit a PAY-SPACE deploy on 2026-06-30 when 2026.6.17 moved :latest mid-day.

Fix unifies on the :staging placeholder that branch-preview.yaml already
expects:

- action.yml x4: :latest -> :staging, so @main resolves to the maintained
  staging image and branch-preview.yaml's existing :staging -> version
  substitution actually applies (previously a no-op, so previews shipped
  :latest too).
- welder.yaml tag-release: substitute :staging -> :${project:version} and
  commit before tagging, mirroring branch-preview.yaml. Prod release tags now
  ship action.yml pinned to their own version's image, which is the image
  push.yaml already builds and signs.

The :latest and :staging Docker tags are still published, so any consumer
referencing them directly is unaffected.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
---
 .github/actions/cancel-stack/action.yml           | 2 +-
 .github/actions/deploy-client-stack/action.yml    | 2 +-
 .github/actions/destroy/action.yml                | 2 +-
 .github/actions/provision-parent-stack/action.yml | 2 +-
 welder.yaml                                       | 6 ++++++
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/actions/cancel-stack/action.yml b/.github/actions/cancel-stack/action.yml
index e601b4ba..5256b493 100644
--- a/.github/actions/cancel-stack/action.yml
+++ b/.github/actions/cancel-stack/action.yml
@@ -71,7 +71,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://simplecontainer/github-actions:latest'
+  image: 'docker://simplecontainer/github-actions:staging'
   env:
     GITHUB_ACTION_TYPE: 'cancel-stack'
     STACK_NAME: ${{ inputs.stack-name }}
diff --git a/.github/actions/deploy-client-stack/action.yml b/.github/actions/deploy-client-stack/action.yml
index 534006b9..b435f2dd 100644
--- a/.github/actions/deploy-client-stack/action.yml
+++ b/.github/actions/deploy-client-stack/action.yml
@@ -69,7 +69,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://simplecontainer/github-actions:latest'
+  image: 'docker://simplecontainer/github-actions:staging'
   env:
     GITHUB_ACTION_TYPE: 'deploy-client-stack'
     STACK_NAME: ${{ inputs.stack-name }}
diff --git a/.github/actions/destroy/action.yml b/.github/actions/destroy/action.yml
index ef28e893..8fadc740 100644
--- a/.github/actions/destroy/action.yml
+++ b/.github/actions/destroy/action.yml
@@ -72,7 +72,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://simplecontainer/github-actions:latest'
+  image: 'docker://simplecontainer/github-actions:staging'
   env:
     GITHUB_ACTION_TYPE: 'destroy'
     STACK_NAME: ${{ inputs.stack-name }}
diff --git a/.github/actions/provision-parent-stack/action.yml b/.github/actions/provision-parent-stack/action.yml
index 7e3e5ec3..9042038f 100644
--- a/.github/actions/provision-parent-stack/action.yml
+++ b/.github/actions/provision-parent-stack/action.yml
@@ -62,7 +62,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://simplecontainer/github-actions:latest'
+  image: 'docker://simplecontainer/github-actions:staging'
   env:
     GITHUB_ACTION_TYPE: 'provision-parent-stack'
     STACK_NAME: ${{ inputs.stack-name }}
diff --git a/welder.yaml b/welder.yaml
index c0023016..2b805960 100644
--- a/welder.yaml
+++ b/welder.yaml
@@ -272,6 +272,12 @@ tasks:
   tag-release:
     runOn: host
     script:
+      # Pin the github-actions runtime image to this exact release version in
+      # every composite action, so consumers pinning the action git ref get a
+      # reproducible image instead of floating :staging. Mirrors branch-preview.yaml.
+      - find .github/actions -name action.yml -exec sed -i "s|docker://simplecontainer/github-actions:staging|docker://simplecontainer/github-actions:${project:version}|g" {} +
+      - git add .github/actions/*/action.yml
+      - git commit -m "chore(release): pin github-actions image to ${project:version}" || echo "github-actions image tags already pinned"
       - git tag ${project:version} || echo "Already set tag ${project:version}"
       - git push -f origin ${project:version} || echo "Tag ${project:version} already exists in origin"
   build-docs: