Summary
5 production call sites pass context.Background() directly to ActionResolver.ResolveSHA(ctx, repo, version), a network operation that talks to GitHub via gh api. The interface already accepts context.Context, but the wrapper functions do not — there is no plumbing for callers to inject timeouts or honor cancellation. One call site (pkg/actionpins/actionpins.go:317) already demonstrates the correct pattern (cmp.Or(ctx.Ctx, context.Background())).
This is a sergo-tracked finding (Run 10, strategy constants-adoption-audit-plus-context-propagation-scan, ref #aw_sgar1). Tracking issue auto-expires after 7d.
Affected call sites
| # |
File |
Line |
Function |
Notes |
| 1 |
pkg/workflow/maintenance_workflow.go |
70 |
resolveActionRef(actionRepo, tag, resolver) |
Called from GenerateMaintenanceWorkflow |
| 2 |
pkg/workflow/action_sha_checker.go |
121 |
CheckActionSHAUpdates(actions, resolver) (exported) |
Iterates over actions in a loop; cancellation would let callers abort mid-iteration |
| 3 |
pkg/workflow/action_reference.go |
78 |
resolveSetupActionRef (action mode) |
Compile-path |
| 4 |
pkg/workflow/action_reference.go |
116 |
resolveSetupActionRef (release mode) |
Compile-path |
| 5 |
pkg/cli/copilot_setup.go |
25, 35 |
getActionRef |
CLI entry near top of call stack |
Reference: established correct pattern
pkg/actionpins/actionpins.go:317 (in ResolveActionPin):
sha, err := ctx.Resolver.ResolveSHA(cmp.Or(ctx.Ctx, context.Background()), actionRepo, version)
The PinContext struct carries Ctx context.Context and the resolver call falls back to Background() only when no parent is provided.
Recommendation
Thread context.Context through the wrapper functions so callers can plumb cancellation. The minimum change for each site:
Before (action_sha_checker.go:102):
func CheckActionSHAUpdates(actions []ActionUsage, resolver *ActionResolver) []ActionUpdateCheck {
...
latestSHA, err := resolver.ResolveSHA(context.Background(), action.Repo, action.Version)After:
func CheckActionSHAUpdates(ctx context.Context, actions []ActionUsage, resolver *ActionResolver) []ActionUpdateCheck {
...
latestSHA, err := resolver.ResolveSHA(ctx, action.Repo, action.Version)Apply the same shape to resolveActionRef, resolveSetupActionRef, and getActionRef. For internal helpers that have no obvious ctx source, accept ctx context.Context and let callers pass context.Background() at the boundary (the test-only and main-entry forms).
Validation
Impact / Severity
Medium. Compile-time network calls cannot be cancelled today, so a hung gh api call will block compilation indefinitely (no caller-supplied timeout). The wider codebase is healthy on this front — Run 4 already found that all 6 production goroutines and 5 type-assertions are clean. This is the largest remaining cluster of context-propagation gaps.
Related historical findings
- Run 3 (#sergo): identified 1 site (
pkg/cli/mcp_registry.go:56) with http.NewRequest lacking ctx
- Run 4: resource-lifecycle audit established
defer recover() convention for goroutines
- Run 9: confirmed
SHAResolver and ActionSHAResolver interfaces are structurally identical (issue #aw_sg9a2)
Filed by Sergo run §25901108807.
Generated by 🤖 Sergo - Serena Go Expert · ● 19.1M · ◷
Summary
5 production call sites pass
context.Background()directly toActionResolver.ResolveSHA(ctx, repo, version), a network operation that talks to GitHub viagh api. The interface already acceptscontext.Context, but the wrapper functions do not — there is no plumbing for callers to inject timeouts or honor cancellation. One call site (pkg/actionpins/actionpins.go:317) already demonstrates the correct pattern (cmp.Or(ctx.Ctx, context.Background())).This is a
sergo-tracked finding (Run 10, strategyconstants-adoption-audit-plus-context-propagation-scan, ref #aw_sgar1). Tracking issue auto-expires after 7d.Affected call sites
pkg/workflow/maintenance_workflow.goresolveActionRef(actionRepo, tag, resolver)GenerateMaintenanceWorkflowpkg/workflow/action_sha_checker.goCheckActionSHAUpdates(actions, resolver)(exported)pkg/workflow/action_reference.goresolveSetupActionRef(action mode)pkg/workflow/action_reference.goresolveSetupActionRef(release mode)pkg/cli/copilot_setup.gogetActionRefReference: established correct pattern
pkg/actionpins/actionpins.go:317(inResolveActionPin):The
PinContextstruct carriesCtx context.Contextand the resolver call falls back toBackground()only when no parent is provided.Recommendation
Thread
context.Contextthrough the wrapper functions so callers can plumb cancellation. The minimum change for each site:Before (
action_sha_checker.go:102):After:
Apply the same shape to
resolveActionRef,resolveSetupActionRef, andgetActionRef. For internal helpers that have no obvious ctx source, acceptctx context.Contextand let callers passcontext.Background()at the boundary (the test-only and main-entry forms).Validation
ctx context.Contextcontext.Background()only appears at top-level CLI entry points (main, signal handlers, tests)context.Background()calls insidepkg/workflow/go build ./...and existing tests passImpact / Severity
Medium. Compile-time network calls cannot be cancelled today, so a hung
gh apicall will block compilation indefinitely (no caller-supplied timeout). The wider codebase is healthy on this front — Run 4 already found that all 6 production goroutines and 5 type-assertions are clean. This is the largest remaining cluster of context-propagation gaps.Related historical findings
pkg/cli/mcp_registry.go:56) withhttp.NewRequestlacking ctxdefer recover()convention for goroutinesSHAResolverandActionSHAResolverinterfaces are structurally identical (issue #aw_sg9a2)Filed by Sergo run §25901108807.