fix: replace SHA in comment example with @Version placeholder

derekmisler · derekmisler · commit fce1429354a8 · 2026-03-26T12:21:41.000-04:00
The SHA+version-comment on line 15 was a documentation example inside a YAML comment block. The release workflow's OLD_PIN_PATTERN grep matched it as a stale ref, causing the 'Create release commit with pinned refs' step to fail at the verification stage. Replacing the real SHA with '@Version' means it no longer matches '@[a-f0-9]{40}', so neither the update-self-refs sed nor the verification grep will ever touch it again. This also replaces all SHA-pinned refs in markdown documentation files (README.md, review-pr/README.md, security/README.md) with '@Version' so the update-self-refs job's markdown sed pass never matches them again. Accordingly, the MD_PIN_PATTERN definition and its while loop have been removed from release.yml's update-self-refs job — they will never match anything and are dead code. Assisted-By: docker-agent
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -368,8 +368,6 @@ jobs:
           OLD_PATTERN='docker/cagent-action[^@]*@[a-f0-9]\{40\} # v[^ ]*'
           # YAML sed: anchored on `uses:` to avoid false matches in comments
           YAML_PIN_PATTERN='s|\(uses: *docker/cagent-action\)\([^@]*\)@[a-f0-9]\{40\} # v[^ ]*|\1\2@'"${SHA}"' # '"${VERSION}"'|g'
-          # Markdown sed: anchored on `docker/cagent-action` directly (no `uses:` prefix in code blocks)
-          MD_PIN_PATTERN='s|\(docker/cagent-action\)\([^@]*\)@[a-f0-9]\{40\} # v[^ ]*|\1\2@'"${SHA}"' # '"${VERSION}"'|g'
 
           UPDATED_FILES=()
 
@@ -382,15 +380,6 @@ jobs:
             --exclude-dir=.git \
             review-pr/ .github/workflows/review-pr.yml .github/workflows/release.yml)
 
-          # Update Markdown files (broader pattern, no uses: anchor)
-          while IFS= read -r file; do
-            sed -i "$MD_PIN_PATTERN" "$file"
-            UPDATED_FILES+=("$file")
-            echo "  Updated (md): $file"
-          done < <(grep -rl "$OLD_PATTERN" --include='*.md' \
-            --exclude-dir=.git \
-            .)
-
           if [ ${#UPDATED_FILES[@]} -eq 0 ]; then
             echo "No self-refs needed updating, skipping."
             echo "skip=true" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/review-pr.yml b/.github/workflows/review-pr.yml
@@ -12,7 +12,7 @@
 #
 #   jobs:
 #     review:
-#       uses: docker/cagent-action/.github/workflows/review-pr.yml@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+#       uses: docker/cagent-action/.github/workflows/review-pr.yml@VERSION
 #       # Scoped to the job so other jobs in this workflow aren't over-permissioned
 #       permissions:
 #         contents: read       # Read repository files and PR diffs
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ A GitHub Action for running [Docker Agent](https://github.com/docker/docker-agen
 1. **Add the action to your workflow**:
 
    ```yaml
-   - uses: docker/cagent-action@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+   - uses: docker/cagent-action@VERSION
      with:
        agent: path/to/agent.yaml
        prompt: "Analyze this code"
@@ -62,7 +62,7 @@ permissions:
 
 jobs:
   review:
-    uses: docker/cagent-action/.github/workflows/review-pr.yml@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+    uses: docker/cagent-action/.github/workflows/review-pr.yml@VERSION
     # Scoped to the job so other jobs in this workflow aren't over-permissioned
     permissions:
       contents: read # Read repository files and PR diffs
@@ -84,7 +84,7 @@ See the [full PR Review documentation](review-pr/README.md) for more details.
 
 ```yaml
 - name: Run Custom Agent
-  uses: docker/cagent-action@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+  uses: docker/cagent-action@VERSION
   with:
     agent: ./agents/my-agent.yaml
     prompt: "Analyze the codebase"
@@ -95,7 +95,7 @@ See the [full PR Review documentation](review-pr/README.md) for more details.
 
 ```yaml
 - name: Run Docker Agent with Custom Settings
-  uses: docker/cagent-action@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+  uses: docker/cagent-action@VERSION
   with:
     agent: docker/code-analyzer
     prompt: "Analyze this codebase"
@@ -115,7 +115,7 @@ See the [full PR Review documentation](review-pr/README.md) for more details.
 ```yaml
 - name: Run Docker Agent
   id: agent
-  uses: docker/cagent-action@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+  uses: docker/cagent-action@VERSION
   with:
     agent: docker/code-analyzer
     prompt: "Analyze this codebase"
@@ -245,14 +245,14 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Security Review
-        uses: docker/cagent-action@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+        uses: docker/cagent-action@VERSION
         with:
           agent: docker/github-action-security-scanner
           prompt: "Analyze for security issues"
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
 
       - name: Code Quality Analysis
-        uses: docker/cagent-action@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+        uses: docker/cagent-action@VERSION
         with:
           agent: docker/code-quality-analyzer
           prompt: "Analyze code quality and best practices"
@@ -285,7 +285,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Run Agent
-        uses: docker/cagent-action@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+        uses: docker/cagent-action@VERSION
         with:
           agent: ${{ github.event.inputs.agent }}
           prompt: ${{ github.event.inputs.prompt }}
diff --git a/review-pr/README.md b/review-pr/README.md
@@ -23,7 +23,7 @@ permissions:
 
 jobs:
   review:
-    uses: docker/cagent-action/.github/workflows/review-pr.yml@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+    uses: docker/cagent-action/.github/workflows/review-pr.yml@VERSION
     # Scoped to the job so other jobs in this workflow aren't over-permissioned
     permissions:
       contents: read       # Read repository files and PR diffs
@@ -146,7 +146,7 @@ jobs:
           fetch-depth: 0
           ref: refs/pull/${{ github.event.issue.number }}/head
 
-      - uses: docker/cagent-action/review-pr@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+      - uses: docker/cagent-action/review-pr@VERSION
         with:
           anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -163,7 +163,7 @@ The recommended approach is to add an `AGENTS.md` file to your repository root.
 For workflow-level overrides or guidelines that apply across multiple repos, use the `additional-prompt` input:
 
 ```yaml
-- uses: docker/cagent-action/review-pr@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+- uses: docker/cagent-action/review-pr@VERSION
   with:
     anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
     additional-prompt: |
@@ -174,7 +174,7 @@ For workflow-level overrides or guidelines that apply across multiple repos, use
 ```
 
 ```yaml
-- uses: docker/cagent-action/review-pr@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+- uses: docker/cagent-action/review-pr@VERSION
   with:
     anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
     additional-prompt: |
@@ -186,7 +186,7 @@ For workflow-level overrides or guidelines that apply across multiple repos, use
 
 ```yaml
 # Project-specific conventions
-- uses: docker/cagent-action/review-pr@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+- uses: docker/cagent-action/review-pr@VERSION
   with:
     anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
     additional-prompt: |
@@ -207,31 +207,31 @@ Override for more thorough or cost-effective reviews:
 
 ```yaml
 # Anthropic (default provider)
-- uses: docker/cagent-action/review-pr@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+- uses: docker/cagent-action/review-pr@VERSION
   with:
     anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
     model: anthropic/claude-opus-4 # More thorough reviews
 ```
 
 ```yaml
 # OpenAI Codex
-- uses: docker/cagent-action/review-pr@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+- uses: docker/cagent-action/review-pr@VERSION
   with:
     openai-api-key: ${{ secrets.OPENAI_API_KEY }}
     model: openai/codex-mini
 ```
 
 ```yaml
 # Google Gemini
-- uses: docker/cagent-action/review-pr@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+- uses: docker/cagent-action/review-pr@VERSION
   with:
     google-api-key: ${{ secrets.GOOGLE_API_KEY }}
     model: gemini/gemini-2.0-flash
 ```
 
 ```yaml
 # xAI Grok
-- uses: docker/cagent-action/review-pr@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+- uses: docker/cagent-action/review-pr@VERSION
   with:
     xai-api-key: ${{ secrets.XAI_API_KEY }}
     model: xai/grok-2
diff --git a/security/README.md b/security/README.md
@@ -220,7 +220,7 @@ All tests must pass before deployment.
 ```yaml
 - name: Run Agent
   id: agent
-  uses: docker/cagent-action@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1
+  uses: docker/cagent-action@VERSION
   with:
     agent: my-agent
     prompt: "Analyze the logs"

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`#`
`13`	`13`	`# jobs:`
`14`	`14`	`# review:`
`15`		`-# uses: docker/cagent-action/.github/workflows/review-pr.yml@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1`
	`15`	`+# uses: docker/cagent-action/.github/workflows/review-pr.yml@VERSION`
`16`	`16`	`# # Scoped to the job so other jobs in this workflow aren't over-permissioned`
`17`	`17`	`# permissions:`
`18`	`18`	`# contents: read # Read repository files and PR diffs`