feat: pin microsoft/apm CLI version with user override and auto-update monitoring

[Copilot]

The microsoft/apm-action was installing the apm CLI at latest with no version pinning, making dependency installation non-deterministic. This adds a pinned default version, per-workflow overrides, automated version monitoring, and proper action SHA pinning via the action pin manager.

Changes

• pkg/constants/constants.go — adds DefaultAPMActionVersion Version = "v1.3.1" (the microsoft/apm-action GitHub Action version) and DefaultAPMVersion Version = "v0.8.0" (the apm CLI tool version)
• pkg/workflow/frontmatter_types.go — adds APMVersion string field to APMDependenciesInfo and a GetAPMVersion() helper that falls back to DefaultAPMVersion
• pkg/workflow/frontmatter_extraction_metadata.go — extracts apm-version from object-format dependencies config; applies default when absent (covers both array and object formats)
• pkg/workflow/apm_dependencies.go — resolves microsoft/apm-action via the action pin manager (GetActionPinWithData) for dynamic SHA resolution during lock file compilation, with fallback to embedded static pins; passes apm-version input in both pack and restore steps
• .github/workflows/cli-version-checker.md — adds microsoft/apm GitHub releases as a monitored source so new releases trigger an automated update issue
• docs/src/content/docs/reference/dependencies.md — documents the new apm-version field

Usage

dependencies:
  packages:
    - microsoft/apm-sample-package
  isolated: true
  apm-version: v0.8.0   # optional; omit to use the default pinned version

Array format (dependencies: [pkg1, pkg2]) continues to work unchanged and automatically picks up DefaultAPMVersion.

Original prompt

Create a PR that adds versioning to the microsoft/apm tool used to install dependencies.

The tool must be pinned to a known version. Choose the latest available version and store that version number in a Go const. Use this constant as the default version.

Allow users to override the default by specifying an apm-version field in the dependencies configuration.

Update the gh-aw CLI version checker to inspect microsoft/apm and report when a newer version is available.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

Hey @Copilot 👋 — thanks for picking up the APM versioning task! Adding a pinned version constant for microsoft/apm and exposing an override in the frontmatter config is a solid improvement to the existing action-pin system.

The PR is currently a placeholder — the single 'Initial plan' commit contains no file changes. Here's what the implementation should address once the code work begins:

• Add Go const for the default version — define const DefaultAPMActionVersion = "v1.3.1" in pkg/workflow/apm_dependencies.go (or a new apm_version.go) and wire it into GetActionPin("microsoft/apm-action").
• Support apm-version in frontmatter — add a Version string field to APMDependenciesInfo in pkg/workflow/frontmatter_types.go, parse it from the object-format dependencies config in frontmatter_extraction_metadata.go, and pass it as an override to GetActionPinWithData in apm_dependencies.go.
• Extend the version checker — pkg/cli/version.go is where the CLI version check lives; add a call to the GitHub Releases API for microsoft/apm and surface a notice when a newer version than the const is available.
• Add tests — the established pattern is testify/assert in pkg/workflow/apm_dependencies_test.go. Cover: default version used when no apm-version is set, custom version overrides the default, and frontmatter extraction of the apm-version key.
• Update PR description — replace the placeholder with a summary of what changed and why before marking the PR ready for review.

Generated by Contribution Check · ◷

[pelikhan]

@copilot use v0.8.0

[Copilot]

@copilot use v0.8.0

Updated DefaultAPMVersion to v0.8.0 in d20039d. Lock files recompiled — apm-version: v0.8.0 now appears in all generated APM steps.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 7xRNufK/HELdiWy8-unsafeptr=false (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot use action pin manager to pin apm version when creating lock file.

[Copilot]

@copilot use action pin manager to pin apm version when creating lock file.

Done in 0865cf0. Added DefaultAPMActionVersion = "v1.3.1" to constants and replaced GetActionPin("microsoft/apm-action") with a resolveAPMActionRef(data) helper that calls GetActionPinWithData — the same pattern used in mcp_github_config.go. This enables dynamic SHA resolution via the ActionResolver during lock file compilation, with fallback to the embedded action_pins.json.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw tants (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ire (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha ath ../../../.pr**/*.json ame x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility get cfg 64/pkg/tool/linux_amd64/vet user.email (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Pins the microsoft/apm CLI version used by microsoft/apm-action to make dependency installation deterministic, while allowing workflow-level overrides and adding automated monitoring for upstream releases.

Changes:

• Added default pinned versions for both microsoft/apm CLI and microsoft/apm-action, plus a frontmatter apm-version override.
• Updated workflow generation to pass apm-version into pack/restore steps and resolve the action ref via the pin manager.
• Extended the CLI version checker workflow/docs to monitor microsoft/apm releases and document the new field.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/constants/constants.go	Introduces default pinned versions for the APM action + CLI.
pkg/workflow/frontmatter_types.go	Adds APMVersion and a helper to default it during generation.
pkg/workflow/frontmatter_extraction_metadata.go	Extracts apm-version from dependencies frontmatter and applies defaults.
pkg/workflow/apm_dependencies.go	Passes apm-version into generated steps and resolves action ref via pin manager.
pkg/workflow/apm_dependencies_test.go	Extends tests to validate default/override behavior for apm-version.
docs/src/content/docs/reference/dependencies.md	Documents apm-version usage in dependencies config.
.github/workflows/cli-version-checker.md	Adds microsoft/apm releases as a monitored source.
.github/workflows/cli-version-checker.lock.yml	Updates locked workflow description/hash for the monitoring change.
.github/workflows/smoke-claude.lock.yml	Updates locked smoke workflow to include apm-version inputs.

Comments suppressed due to low confidence (1)

docs/src/content/docs/reference/dependencies.md:1

• The docs example uses apm-version: v0.7.2, but this PR sets DefaultAPMVersion to v0.8.0 (and the PR description/example YAML also uses v0.8.0). Update this example (and/or the comment) to match the new default version to avoid confusion.

---

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[pelikhan]

@copilot merge main and recompile