From c96de431441044387be735b4a6cead3105e874a3 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Wed, 18 Mar 2026 00:15:04 +0100
Subject: [PATCH] Fix expand-terraform: use PR head branch ref for push

github.ref_name on PRs returns "1/merge" (merge ref number), not the
branch name. Use github.head_ref for PRs (the actual branch), falling
back to github.ref_name for push events. Pass via env var to avoid
command injection from user-controlled branch names.
---
 .github/workflows/expand-terraform.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/expand-terraform.yml b/.github/workflows/expand-terraform.yml
index 405ac3f..548e320 100644
--- a/.github/workflows/expand-terraform.yml
+++ b/.github/workflows/expand-terraform.yml
@@ -30,7 +30,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
-          ref: ${{ github.ref }}
+          ref: ${{ github.head_ref || github.ref }}
 
       - name: Generate GitHub App token
         id: app-token
@@ -65,4 +65,6 @@ jobs:
         run: python3 .platform/scripts/expand-modules.py
 
       - name: Commit and push generated files
-        run: sh .platform/scripts/commit-generated-tf.sh "${{ inputs.tf_root }}" "${{ github.ref_name }}"
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: sh .platform/scripts/commit-generated-tf.sh "${{ inputs.tf_root }}" "$BRANCH"