ci: build exact PR head commit, not the PR/base merge#192
Merged
Conversation
The dev build workflow lost its checkout ref pinning when the security hardening moved it from pull_request_target to pull_request. On a pull_request event, actions/checkout with no ref defaults to refs/pull/<N>/merge -- the PR branch merged with the base branch -- so PR builds shipped branch+base code instead of the exact pushed commit. For branches diverged from the base this produces wrong/broken artifacts (it caused a production incident on a devnet build). Restore the ref pinning while keeping the hardening: - _shared-build.yaml: add an optional `ref` input and pin every actions/checkout to it. The empty default makes checkout fall back to the event default, so push-triggered callers (build-master/-main and build-release) that don't pass a ref keep working unchanged. - build-dev.yml: compute commit_ref from the PR head sha (read via env to avoid script injection) and pass it to both build jobs. Safe under pull_request: fork PRs run with a read-only token and no secrets, and docker publishing is gated to same-repo PRs -- so pinning the head sha reintroduces no risk. A DO-NOT-REMOVE banner on the `ref` input documents this so a future automated security pass won't strip it.
qu0b
approved these changes
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
build-dev.ymltriggers onpull_requestbut stopped pinning the checkout ref after the[codex] fix security alertshardening. On apull_requestevent,actions/checkoutwith norefchecks outrefs/pull/<N>/merge— the PR branch merged with the base branch — so PR builds were producing branch-merged-with-base instead of the exact pushed commit. For branches that have diverged from the base this ships wrong/broken artifacts (it caused a production incident on a devnet build).Fix (additive — nothing removed, hardening preserved)
_shared-build.yaml: add an optionalrefinput and pin everyactions/checkoutto${{ inputs.ref }}. Empty default keeps push-triggered callers (build-master/build-mainandbuild-release) working unchanged.build-dev.yml: computecommit_reffromgithub.event.pull_request.head.sha(read via env to avoid script injection) and pass it to both build jobs.The repo's existing
branch_name → docker_tagslash normalization is untouched —commit_refis a separate raw git SHA that must not be normalized.Why it's safe
This workflow runs on plain
pull_request(notpull_request_target), so fork PRs get a read-only token and no secrets — building untrusted head code is harmless. Docker publishing (which needs secrets) is gated to same-repo PRs. ADO NOT REMOVEbanner on therefinput documents this so a future automated security pass doesn't strip it again.Regression introduced by
The checkout
refpinning was removed by #183 ([codex] fix security alerts). This PR restores it without reverting the security hardening from that PR.