Update release workflow to pin new sub-action refs

[derekmisler]

Summary

Extends the release workflow's ref-pinning logic to cover the new review-pr/reply sub-action. Previously, only review-pr/action.yml and the top-level review-pr reference in review-pr.yml were pinned on release; this PR adds equivalent pinning and verification steps for review-pr/reply/action.yml and the docker/cagent-action/review-pr/reply@latest reference in .github/workflows/review-pr.yml.

Changes

• .github/workflows/release.yml: Adds sed substitution to pin docker/cagent-action@latest in review-pr/reply/action.yml, adds sed substitution to pin docker/cagent-action/review-pr/reply@latest in .github/workflows/review-pr.yml (ordered before the existing review-pr@latest replacement to avoid partial-match collisions), adds two new grep verification checks for the newly pinned refs, and includes review-pr/reply/action.yml in the final "Pinned refs" summary output.

Breaking Changes

None — this is an additive change to the release automation only.

How to Test

• Trigger a release and confirm the workflow completes without the new ::error:: guards firing.
• After the release commit is created, verify that review-pr/reply/action.yml and .github/workflows/review-pr.yml both contain the versioned ref (e.g. docker/cagent-action@vX.Y.Z / docker/cagent-action/review-pr/reply@vX.Y.Z) rather than @latest.
• Confirm the "Pinned refs" log output now includes lines from review-pr/reply/action.yml alongside the existing files.

Closes: https://github.com/docker/gordon/issues/198

[derekmisler]

/describe

[docker-agent]

✅ PR description has been generated and updated!

[docker-agent]

Review Summary

Assessment: 🟢 APPROVE

Summary

This PR correctly updates the release workflow to pin the new review-pr/reply sub-action references. The changes follow the existing pattern and include proper safeguards:

✅ Correct ordering: The sed replacements are ordered from longest to shortest path to avoid partial string matches
✅ Proper validation: Each sed replacement has a corresponding grep validation to ensure the pinning succeeded
✅ Comprehensive coverage: Updates both the action definition files and the workflow that uses them

The implementation is sound and follows defensive programming practices.

Findings

No issues found. The code changes are correct and ready to merge.

---

Generated by cagent PR reviewer

[derekmisler]

/review

[docker-agent]

Review Summary

Assessment: 🟢 APPROVE

Summary

The refactoring from explicit file-by-file sed commands to a pattern-based grep+sed loop is well-designed and introduces no bugs. All initial hypotheses about potential issues (grep argument order, error handling, pattern mismatches) were investigated and dismissed:

• The grep syntax is correct and standard (grep [options] PATTERN [file...])
• Error handling works properly through the PINNED_FILES array length check at line 106
• Pattern matching correctly handles comments vs. actual uses: lines
• Process substitution with set -e behaves as intended

The new implementation is actually more robust than the old explicit sed commands, as it:

1. Dynamically discovers all files needing pinning
2. Provides centralized verification via the PINNED_FILES array
3. Includes comprehensive grep-based validation of pinning success
4. Will automatically cover new sub-actions added under review-pr/

Findings

No issues found. The code correctly implements the intended behavior described in the PR description.

---

Note: This PR successfully extends the ref-pinning automation to cover review-pr/reply without requiring hardcoded file paths for future sub-actions under the review-pr/ directory.