[plan] Add bounds validation after sortPinsByVersion in GetActionPinByRepo #14711
Description
Objective
Add defensive validation after sortPinsByVersion() to ensure the sorted slice is non-empty before accessing the first element.
Context
Source: Sergo Analysis Report #14696 - Critical Issue #2
Location: pkg/workflow/action_pins.go:432
Severity: Critical
The GetActionPinByRepo() function trusts that sortPinsByVersion() preserves slice length, but there's no validation that the sorting function behaves correctly. If sortPinsByVersion() has a bug or returns an empty slice unexpectedly, this causes a panic.
Current Code (Lines 428-432)
sortedPins := sortPinsByVersion(matchingPins)
// Return the latest version (first after sorting)
return sortedPins[0], true // ❌ What if sortPinsByVersion returns empty?Proposed Fix
sortedPins := sortPinsByVersion(matchingPins)
if len(sortedPins) == 0 {
actionPinsLog.Printf("WARNING: sortPinsByVersion returned empty slice for repo %s", repo)
return ActionPin{}, false
}
return sortedPins[0], trueAcceptance Criteria
- Add length check after
sortPinsByVersion()call - Add warning log if sorted slice is empty
- Return zero value and false on empty slice
- Run existing tests to ensure no behavior changes
- No new test failures introduced
Related to [sergo] Initialization Safety & Type Guards Analysis - 2026-02-09 #14696
AI generated by Plan Command for #14696
- expires on Feb 12, 2026, 1:07 AM UTC