Skip to content

fix(ci): check out PR head in shared maven build under pull_request_target#46

Merged
ABBDVD merged 1 commit into
mainfrom
fix/dependabot-pr-checkout-ref
Jun 22, 2026
Merged

fix(ci): check out PR head in shared maven build under pull_request_target#46
ABBDVD merged 1 commit into
mainfrom
fix/dependabot-pr-checkout-ref

Conversation

@ABBDVD

@ABBDVD ABBDVD commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Why

shared-maven-build.yml's checkout step has no explicit ref, so under pull_request_target it resolves to the base branch's tip. Every Dependabot PR's CI has therefore been building the base branch, not the proposed changes — the green checkmark only confirmed that master still builds, not that the bump was viable.

The bug stayed invisible for most bumps (a pom.xml version diff alone resolves fine against the base tree), but it surfaced now for code-style-settings: that artifact ships generated files (hooks/pre-push, portal-java-formatter.xml, …) which the build unpacks over the tree, and any unsynced commit at base trips the post-build ensure-no-uncommitted-code check.

Change

Pin ref to the PR head when available, falling back to github.sha:

ref: ${{ github.event.pull_request.head.sha || github.sha }}
  • pull_request_target → PR head (the fix)
  • push / workflow_dispatch / schedulegithub.sha, identical to today

Only pull_request_target callers (the 20 repos' dependabot-pr.yml) see new behavior. Acceptable here because the trigger is already gated to github.event.pull_request.user.login == 'dependabot[bot]', and Dependabot is first-party.

@ABBDVD ABBDVD requested a review from a team as a code owner June 22, 2026 11:16
…arget

The shared workflow's checkout step had no explicit ref, so under
pull_request_target it resolved to the base branch's tip. That meant
every Dependabot PR's CI was building the base branch instead of the
proposed changes — the green checkmark only proved that base still
built, not that the bump was viable.

Pin ref to github.event.pull_request.head.sha when present, falling
back to github.sha so push and workflow_dispatch triggers keep their
existing behavior. The dependabot-pr.yml gates already restrict
execution to PRs opened by dependabot[bot], so checking out the PR
head under pull_request_target is acceptable here: Dependabot is
first-party and only mutates manifest/lockfile content.
@ABBDVD ABBDVD force-pushed the fix/dependabot-pr-checkout-ref branch from b4e872b to 2ef36c4 Compare June 22, 2026 11:18
@ABBDVD ABBDVD requested a review from tgmuender June 22, 2026 11:19
@ABBDVD ABBDVD merged commit 22ac397 into main Jun 22, 2026
3 checks passed
@ABBDVD ABBDVD deleted the fix/dependabot-pr-checkout-ref branch June 22, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants