ci(dispatch): allow checkout@v7 fork PR checkout in all reusable workflows#3696
Conversation
PR Summary by QodoAllow safe fork PR checkout in Route job with actions/checkout@v7
AI Description
Diagram
High-Level Assessment
Files changed (1)
|
|
🤖 Review · |
Site previewPreview: https://3b1d1d82-site.fullsend-ai.workers.dev Commit: |
508a1ab to
806b507
Compare
|
🤖 Review · |
806b507 to
c6d6936
Compare
Code Review by Qodo
1.
|
|
🤖 Review · |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
c6d6936 to
d113ad0
Compare
|
🤖 Review · |
d113ad0 to
3f0d6f5
Compare
|
🤖 Finished Review · ✅ Success · Started 5:53 PM UTC · Completed 6:04 PM UTC |
ReviewFindingsMedium
Prior review findings resolved: The [parameter-order] low-severity finding from the prior review has been addressed — the Previous runReviewFindingsMedium
Low
Prior review findings resolved: The [permission-expansion] and [missing-ref-pinning] low-severity findings from the prior review have both been addressed — all 6 stage workflows now include Previous run (2)ReviewFindingsMedium
Low
Labels: PR modifies CI workflow files under .github/workflows/ for dispatch routing |
3f0d6f5 to
33d6051
Compare
|
🤖 Finished Review · ✅ Success · Started 6:07 PM UTC · Completed 6:19 PM UTC |
waynesun09
left a comment
There was a problem hiding this comment.
Reviewed via a 5-agent review squad. The original revision had two real issues (both independently confirmed by 3 agents): the "credentials are not persisted" comment was inaccurate for 6/7 files since persist-credentials wasn't set, and the checkout resolved the PR merge ref rather than the base branch, so fork-controlled customized/ overlay content could land in the workspace.
Both were fixed in the latest push, which pins ref to github.event.pull_request.base.sha under pull_request_target and sets persist-credentials: false across all 7 reusable workflows — this removes fork content from the checkout entirely rather than just working around the action's ref-format guard. CI is green (commit-lint, e2e, functional-tests, DCO). Fix is complete and consistent across all 7 reusable workflows that run under pull_request_target.
Non-blocking follow-up: the checkout block (comment + ref pin + persist-credentials + allow-unsafe-pr-checkout) is now duplicated identically across 7 files — worth extracting into a composite action at some point, but not required for this fix.
…flows checkout@v7 added a security guard that blocks fork PR head checkouts in pull_request_target workflows by default. The github context is inherited through workflow_call chains, so github.event_name is pull_request_target in every reusable workflow — not just the dispatch Route job where the failure was first observed. All 7 "Checkout config repository" steps are safe: they read only .fullsend/ config files, no fork code is executed, and credentials are not persisted. The dispatch Route job additionally pins its ref to the base branch so kill-switch and role gating always reads trusted config. Stage workflows now also include explicit ref pinning and persist-credentials: false for consistency with the dispatch workflow. Fixes fullsend-ai#3689 Signed-off-by: Greg Allen <gallen@redhat.com> Signed-off-by: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Greg Allen <gallen@redhat.com>
33d6051 to
08b3f52
Compare
|
🤖 Finished Review · ✅ Success · Started 6:25 PM UTC · Completed 6:36 PM UTC |
|
🤖 Finished Retro · ✅ Success · Started 7:48 PM UTC · Completed 7:58 PM UTC |
|
PR #3696 fixed actions/checkout@v7 fork PR checkout failures across 7 reusable workflows. The triage agent correctly identified the root cause but under-scoped the fix to 1 of 7 affected files, missing github context inheritance through workflow_call chains. The code agent implemented the narrow scope correctly (exit code 0) but failed at the post-script because Proposals filed |
Summary
actions/checkout@v7blocks fork PR head checkouts onpull_request_targetunlessallow-unsafe-pr-checkoutis setgithubcontext is inherited throughworkflow_callchains, sogithub.event_nameispull_request_targetin every reusable workflow — not just the dispatch Route job where the failure was first observedreusable-dispatch.yml, but fixing just the dispatch would unblock routing only to have the stage workflow (review, triage, code, fix, retro, prioritize) fail at its own "Checkout config repository" step with the same error.fullsend/config files, no fork code is executed, and credentials are not persistedFixes #3689
Test plan
openshift-pipelines/opc); Route job and stage job both check out config successfullyallow-unsafe-pr-checkoutexpression evaluates tofalseoutsidepull_request_target)🤖 Generated with Claude Code