Parse and generate YAML in sync_back.ts

[mbg]

This is an alternative to #3547 which avoids the regular expressions entirely. It does this by using the yaml library that we already use in sync.ts to:

• Parse the workflows in .github/workflows to extract the action versions
• Then parses, updates, and renders the workflow templates in pr-checks/checks

For sync.ts, I have extracted a mapping of action names to versions into a separate file (action-versions.ts) which can easily be re-generated by the sync_back.ts script.

A couple of extra notes for review:

• I looked into running eslint over the resulting action-versions.ts file, but this is currently sort-of blocked on me adding a tsconfig.json for pr-checks and then an eslint config. I'll do that, but separately from this.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Environments:

• Testing/None - This change does not impact any CodeQL workflows in production.

How did/will you validate this change?

• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Development/testing only - This change cannot cause any failures in production.

How will you know if something goes wrong after this change is released?

• Other - Please provide details.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR refactors pr-checks/sync_back.ts to avoid regex-based workflow parsing by using the existing yaml library to parse generated workflows and update templates, and it factors Action version pinning into a dedicated action-versions.ts file consumed by sync.ts.

Changes:

• Parse .github/workflows/__*.yml with yaml to extract uses: action refs (including inline comments) in sync_back.ts.
• Generate/update pr-checks/action-versions.ts and update sync.ts to reference it via a helper (getActionRef).
• Update pr-checks/checks/*.yml templates via YAML AST editing rather than regex substitution.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pr-checks/sync_back.ts	Switches to YAML AST traversal for scanning/updating and introduces writing action-versions.ts.
pr-checks/sync_back.test.ts	Updates tests to validate YAML-based scanning and the new action-versions.ts update behavior.
pr-checks/sync.ts	Loads action version pins from action-versions.ts instead of hardcoded refs.
pr-checks/action-versions.ts	New generated mapping of action names to pinned refs (and optional comments).
pr-checks/checks/overlay-init-fallback.yml	Template formatting change as a result of re-serialization.
pr-checks/checks/init-with-registries.yml	Template formatting change as a result of re-serialization.
pr-checks/checks/autobuild-direct-tracing-with-working-dir.yml	Template formatting change as a result of re-serialization.

[esbena]

I love this approach. Thanks for this extra follow-up effort.
In addition to the yaml traversal comment, I have one comment that we'll discuss internally.

[esbena]

So the idea of this visitor is to recursively visit everything in the YAML document and then for any uses: <string> cases do something?
My worry is that this could hit too many things. Concretely a user could have env: uses: "foo"

I would prefer a setup where we specifically target the individual steps in a more semantic manner:
We know the exact object depth at which these step definitions can occur, both for workflow files and composite actions...