Skip to content

fix: check out PR feature branch in pr-fixer workflow #880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Gkrumbach07 wants to merge 1 commit into from
Closed

fix: check out PR feature branch in pr-fixer workflow #880

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions .github/workflows/pr-fixer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,15 @@ jobs:
echo "skip=false" >> $GITHUB_OUTPUT
fi

- name: Get PR branch
if: steps.fork_check.outputs.skip != 'true'
id: pr_branch
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
BRANCH=$(gh pr view ${{ steps.pr.outputs.number }} --repo "${{ github.repository }}" --json headRefName --jq '.headRefName')
echo "branch=$BRANCH" >> $GITHUB_OUTPUT
Comment on lines +70 to +77
Copy link

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Block fork PRs in the manual-dispatch path.

workflow_dispatch still skips the fork guard, but this change now feeds the PR’s headRefName into a repo URL that is always ${{ github.repository }}. For a fork PR, that targets the base repo with a branch name from the contributor’s fork; the runner’s checkout path falls back to git checkout -b <branch> when the branch is missing, so the fixer can create/push a same-named branch in the base repository instead of the PR head repo. Please run the same isCrossRepository check for manual dispatch too, or resolve the PR head repository URL and pass that into repos.

🔧 Minimal fix 
-      - name: Check PR is not a fork (issue_comment)
-        if: github.event_name == 'issue_comment'
+      - name: Check PR is not a fork
+        if: github.event_name == 'issue_comment' || github.event_name == 'workflow_dispatch'

Also applies to: 93-93

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-fixer.yml around lines 70 - 77, The manual-dispatch
path uses the pr_branch step (id: pr_branch) and currently calls gh pr view with
--repo set to the base ${GITHUB_REPOSITORY}, which can cause the workflow to
checkout/create branches in the base repo for fork PRs; update the pr_branch
logic to perform the same cross-repo guard used elsewhere (the isCrossRepository
check / steps.fork_check result) or resolve the PR head repository URL from gh
pr view and pass that repo into --repo (or repos) when invoking gh; ensure you
reference the PR number input (steps.pr.outputs.number) and only use the base
repo when the PR is not cross-repository, otherwise use the head repo returned
by gh pr view so the branch name is resolved against the correct repository.


- name: Fix PR
if: steps.fork_check.outputs.skip != 'true'
id: session
Expand All @@ -81,7 +90,7 @@ jobs:
comments (fix valid issues, respond to invalid ones), run lints
and tests, and push the fixes.
repos: >-
[{"url": "https://github.com/${{ github.repository }}", "branch": "main"}]
[{"url": "https://github.com/${{ github.repository }}", "branch": "${{ steps.pr_branch.outputs.branch }}"}]
workflow: >-
{"gitUrl": "https://github.com/ambient-code/workflows", "branch": "main", "path": "internal-workflows/pr-fixer"}
model: claude-sonnet-4-5
Expand Down Expand Up @@ -177,6 +186,15 @@ jobs:
echo "skip=false" >> $GITHUB_OUTPUT
fi

- name: Get PR branch
if: steps.churn_check.outputs.skip != 'true'
id: pr_branch
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
BRANCH=$(gh pr view ${{ matrix.pr_number }} --repo "${{ github.repository }}" --json headRefName --jq '.headRefName')
echo "branch=$BRANCH" >> $GITHUB_OUTPUT

- name: Fix PR #${{ matrix.pr_number }}
if: steps.churn_check.outputs.skip != 'true'
id: session
Expand All @@ -191,7 +209,7 @@ jobs:
comments (fix valid issues, respond to invalid ones), run lints
and tests, and push the fixes.
repos: >-
[{"url": "https://github.com/${{ github.repository }}", "branch": "main"}]
[{"url": "https://github.com/${{ github.repository }}", "branch": "${{ steps.pr_branch.outputs.branch }}"}]
workflow: >-
{"gitUrl": "https://github.com/ambient-code/workflows", "branch": "main", "path": "internal-workflows/pr-fixer"}
model: claude-sonnet-4-5
Expand Down