From 4e4367859e38c55c9970bbb3f2234198b35c1bf4 Mon Sep 17 00:00:00 2001
From: Thomas Pierce <thp@amazon.com>
Date: Mon, 22 Sep 2025 14:13:26 -0700
Subject: [PATCH 1/2] Scan for @v actions

---
 .github/workflows/pr-build.yml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
index 5b343c82be..8eb50c4b99 100644
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -14,7 +14,7 @@ env:
   TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test-v2
 
 jobs:
-  changelog-check:
+  static-code-checks:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -22,6 +22,7 @@ jobs:
           fetch-depth: 0
           
       - name: Check CHANGELOG
+        if: always()
         run: |
           # Check if PR is from workflows bot or dependabot
           if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then
@@ -50,6 +51,24 @@ jobs:
           echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR."
           exit 1
 
+      - name: Check for versioned GitHub actions
+        if: always()
+        run: |
+          # Get changed GitHub workflow/action files
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
+          
+          if [ -n "$CHANGED_FILES" ]; then
+            # Check for any versioned actions, excluding comments and this validation script
+            VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
+            if [ -n "$VIOLATIONS" ]; then
+              echo "Found versioned GitHub actions. Use commit SHAs instead:"
+              echo "$VIOLATIONS"
+              exit 1
+            fi
+          fi
+          
+          echo "No versioned actions found in changed files"
+
   testpatch:
     name: Test patches applied to dependencies
     runs-on: aws-otel-java-instrumentation_ubuntu-latest_32-core

From 2e72d2fa8c9522ae2c4c7f293eb870f8777aee3a Mon Sep 17 00:00:00 2001
From: Thomas Pierce <thp@amazon.com>
Date: Tue, 23 Sep 2025 12:21:30 -0700
Subject: [PATCH 2/2] Update pr-build.yml

---
 .github/workflows/pr-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
index c96c847d63..9788882479 100644
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -240,7 +240,7 @@ jobs:
 
   all-pr-checks-pass:
     runs-on: ubuntu-latest
-    needs: [changelog-check, testpatch, build, build-lambda]
+    needs: [static-code-checks, testpatch, build, build-lambda]
     if: always()
     steps:
       - name: Checkout to get workflow file