Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ref: ${{ github.event.pull_request.head.sha }} has no effect on the GHA workflow code which is always as-merged #2035

Open
msugakov opened this issue Jan 8, 2025 · 1 comment
Open

ref: ${{ github.event.pull_request.head.sha }} has no effect on the GHA workflow code which is always as-merged #2035

msugakov opened this issue Jan 8, 2025 · 1 comment

Comments

@msugakov
Copy link

msugakov commented Jan 8, 2025

Hello,

When doing some testing in PR I spotted that despite the action is set up to checkout the PR branch commit via

- uses: actions/checkout@v4
  with:
    ref: ${{ github.event.pull_request.head.sha }}

(as explained here), CI sees the code lines from the master branch merged with the PR branch. It is also especially notable that git rev-parse HEAD reports the same commit id I see locally and git status reports that the working tree is clean.

Could you please tell

  • What is that thing which actions/checkout@v4 checks out when ref: is set to ${{ github.event.pull_request.head.sha }}?
  • How can git commit id show up unchanged and working tree to be clean despite the evidently present changes in the tracked files?

Or does the workflow (my PR changes were to GHA workflow file) get always checked out for execution as-merged irrespective of what actions/checkout does and how it's configured?

Verbose details below.

Thanks,
Misha

How I spotted this

I made a change to the master branch in which a couple new attributes appeared, specifically the one called registry.
And it showed up in the GHA output https://github.com/stackrox/stackrox/actions/runs/12656587616/job/35269481605#step:3:73

Picture

image

Before landing that change I opened a PR stackrox/stackrox#13721 from the earlier master state which does not include that registry attribute. Here's that location in the PR's branch for comparison https://github.com/stackrox/stackrox/blob/misha/ROX-26026-scanner-ci-test/.github/workflows/scanner-build.yaml#L62 - no registry present.

The PR branch was cut after a7b8a0ad097604edcde64777a00900c712704844 and that commit's CI does not mention registry, as expected.
https://github.com/stackrox/stackrox/actions/runs/12648870573/job/35244064042#step:3:49

Picture

image

With the current state of master, despite that the checkout action is set up to check out the head of the PR branch (https://github.com/stackrox/stackrox/blob/misha/ROX-26026-scanner-ci-test/.github/workflows/scanner-build.yaml#L22-L25), there was registry attribute in the action output which is unexpected.
https://github.com/stackrox/stackrox/actions/runs/12670019672/job/35308764568?pr=13721#step:3:135

Picture

image

Observations

I added some debug info in the form of printing GHA variables and git cli calls and here's what I found.

ref is: github.event.pull_request.head.sha (PR, CI) github.head_ref (PR, CI) absent (PR, CI)
Actual code is: merged, unexpected merged, unexpected merged, expected
git status tells working tree is clean working tree is clean working tree is clean
git rev-parse HEAD output matches the head of the PR branch, expected matches the head of the PR branch, expected matches merge commit, same as $GITHUB_SHA, expected
git log shows the head commit of PR branch, expected shows the head commit of PR branch, expected shows the merge commit, expected
git branch --contains "$(git rev-parse HEAD)" only tells that head is detached (ok, it's a shallow clone) shows the PR branch, expected tells that head is detached at pull/<pr-number>/merge
git show-ref fails with no-zero exit code and no output, unexpected shows only the PR branch shows pull/<pr-number>/merge
$GITHUB_SHA present and looks like some commit (different than PR branch head) present and looks like some commit (different than PR branch head) is the same as git rev-parse HEAD prints, expected
git log $GITHUB_SHA fails with fatal: bad object (the commit does not exist?) fails with fatal: bad object (the commit does not exist?) same as git log prints
@msugakov msugakov changed the title ref: ${{ github.event.pull_request.head.sha }} only fools git cli to think it's the original commit but the repo content is as-merged ref: ${{ github.event.pull_request.head.sha }} has no effect on the GHA workflow code which is always as-merged Jan 8, 2025
@msugakov
Copy link
Author

msugakov commented Jan 8, 2025
edited
Loading

Okay, I added a simple cat <workflow-file> command and see that the repo contents are indeed clean i.e. there's no registry attribute in the checked out copy.

Picture

image

It seems also logical why actions/checkout's settings have no effect on what workflow code executes - one might simply never call actions/checkout in the workflow but the workflow still needs to execute. I.e. something above checks out the workflow code.

What's left as an open question is how do I tell GHA to execute workflow code as-is from the PR branch and not as-merged with the master so that the behavior is consistent with ref: ${{ github.event.pull_request.head.sha }} I pass to actions/checkout. (Prior to opening this issue, I read a couple others debating whether "as-merged" is the "single right way" to checkout. I'm here not for this kind of debate. In this case it's about the consistency of two things.)
However, understanding this question might be beyond the scope of actions/checkout, I'm ok that this issue gets closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msugakov and others