From 2ef36c4dc292a31648b8633c80be91260c948e7c Mon Sep 17 00:00:00 2001 From: Christopher Signer Date: Mon, 22 Jun 2026 11:08:08 +0000 Subject: [PATCH] fix(ci): check out PR head in shared maven build under pull_request_target MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The shared workflow's checkout step had no explicit ref, so under pull_request_target it resolved to the base branch's tip. That meant every Dependabot PR's CI was building the base branch instead of the proposed changes — the green checkmark only proved that base still built, not that the bump was viable. Pin ref to github.event.pull_request.head.sha when present, falling back to github.sha so push and workflow_dispatch triggers keep their existing behavior. The dependabot-pr.yml gates already restrict execution to PRs opened by dependabot[bot], so checking out the PR head under pull_request_target is acceptable here: Dependabot is first-party and only mutates manifest/lockfile content. --- .github/workflows/shared-maven-build.yml | 4 ++++ CHANGELOG.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/shared-maven-build.yml b/.github/workflows/shared-maven-build.yml index f12bd3f..7751f2b 100644 --- a/.github/workflows/shared-maven-build.yml +++ b/.github/workflows/shared-maven-build.yml @@ -90,6 +90,10 @@ jobs: with: # fetch-depth: 0 is required for spotless-maven-plugin branch comparisons fetch-depth: 0 + # Under pull_request_target the default ref is the base branch, which + # would build base instead of the PR's proposed changes. Pin to the PR + # head when available; fall back to github.sha for push/dispatch. + ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Setup Build Variables (RC Versioning) id: vars diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d50735..a346d7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,4 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added workflows and actions for running the release pipeline with github actions ([PORTAL-1673](https://inventage-all.atlassian.net/browse/PORTAL-1673)) +### Fixed + +- `shared-maven-build.yml` now checks out the PR head under `pull_request_target` so Dependabot PR builds verify the proposed changes instead of the base branch + [unreleased]: https://github.com/uniport/workflows/compare/73134d30c856eaabc9c891492f265b896517382c...main