Problem
Several functions that make GitHub API calls for action SHA resolution use hardcoded context.Background() instead of propagating a caller-supplied context. This means these network operations have no timeout or cancellation support, which can cause hangs if GitHub's API is slow or unreachable.
Affected Locations
pkg/workflow/action_reference.go:78 — resolver.ResolveSHA(context.Background(), ...) in action mode conversionpkg/workflow/action_reference.go:116 — same pattern in release modepkg/workflow/action_sha_checker.go:122 — resolver.ResolveSHA(context.Background(), ...) for SHA checkingpkg/workflow/maintenance_workflow.go:68 — resolver.ResolveSHA(context.Background(), ...) for maintenance workflowspkg/workflow/github_cli.go:131,153 — RunGHContext(context.Background(), ...) wrapperspkg/cli/add_command.go:366 — fetchAllRemoteDependencies(context.Background(), ...)
Impact
- Severity: Medium
- Risk: Operations calling GitHub API can hang indefinitely with no way to cancel them from parent callers. Timeouts like
context.WithTimeout(context.Background(), ...) are used in some places but the root cause is the missing context propagation through the call stack.
- Affected: All CLI operations that resolve action SHAs or fetch remote workflows
Recommendation
Propagate context.Context as a parameter through the call chains that lead to these network operations. Functions like action_reference.go's internal helpers should accept a ctx context.Context parameter rather than using context.Background() directly.
Before:
sha, err := resolver.ResolveSHA(context.Background(), actionRepo, tag)
After:
// Accept ctx from caller and propagate it
sha, err := resolver.ResolveSHA(ctx, actionRepo, tag)
Validation
Estimated Effort: Medium (several files, requires tracing call chains)
Generated by Sergo — Run ID: §25301644786
Generated by Sergo - Serena Go Expert · ● 394.3K · ◷
Problem
Several functions that make GitHub API calls for action SHA resolution use hardcoded
context.Background()instead of propagating a caller-supplied context. This means these network operations have no timeout or cancellation support, which can cause hangs if GitHub's API is slow or unreachable.Affected Locations
pkg/workflow/action_reference.go:78—resolver.ResolveSHA(context.Background(), ...)in action mode conversionpkg/workflow/action_reference.go:116— same pattern in release modepkg/workflow/action_sha_checker.go:122—resolver.ResolveSHA(context.Background(), ...)for SHA checkingpkg/workflow/maintenance_workflow.go:68—resolver.ResolveSHA(context.Background(), ...)for maintenance workflowspkg/workflow/github_cli.go:131,153—RunGHContext(context.Background(), ...)wrapperspkg/cli/add_command.go:366—fetchAllRemoteDependencies(context.Background(), ...)Impact
context.WithTimeout(context.Background(), ...)are used in some places but the root cause is the missing context propagation through the call stack.Recommendation
Propagate
context.Contextas a parameter through the call chains that lead to these network operations. Functions likeaction_reference.go's internal helpers should accept actx context.Contextparameter rather than usingcontext.Background()directly.Before:
After:
Validation
context.Background()calls in the action resolution pathEstimated Effort: Medium (several files, requires tracing call chains)
Generated by Sergo — Run ID: §25301644786