ref: ${{ github.event.pull_request.head.sha }} has no effect on the GHA workflow code which is always as-merged #2035
Description
Hello,
When doing some testing in PR I spotted that despite the action is set up to checkout the PR branch commit via
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}(as explained here), CI sees the code lines from the master branch merged with the PR branch. It is also especially notable that git rev-parse HEAD reports the same commit id I see locally and git status reports that the working tree is clean.
Could you please tell
- What is that thing which
actions/checkout@v4checks out whenref:is set to${{ github.event.pull_request.head.sha }}? - How can git commit id show up unchanged and working tree to be clean despite the evidently present changes in the tracked files?
Or does the workflow (my PR changes were to GHA workflow file) get always checked out for execution as-merged irrespective of what actions/checkout does and how it's configured?
Verbose details below.
Thanks,
Misha
How I spotted this
I made a change to the master branch in which a couple new attributes appeared, specifically the one called registry.
And it showed up in the GHA output https://github.com/stackrox/stackrox/actions/runs/12656587616/job/35269481605#step:3:73
Picture
Before landing that change I opened a PR stackrox/stackrox#13721 from the earlier master state which does not include that registry attribute. Here's that location in the PR's branch for comparison https://github.com/stackrox/stackrox/blob/misha/ROX-26026-scanner-ci-test/.github/workflows/scanner-build.yaml#L62 - no registry present.
The PR branch was cut after a7b8a0ad097604edcde64777a00900c712704844 and that commit's CI does not mention registry, as expected.
https://github.com/stackrox/stackrox/actions/runs/12648870573/job/35244064042#step:3:49
Picture
With the current state of master, despite that the checkout action is set up to check out the head of the PR branch (https://github.com/stackrox/stackrox/blob/misha/ROX-26026-scanner-ci-test/.github/workflows/scanner-build.yaml#L22-L25), there was registry attribute in the action output which is unexpected.
https://github.com/stackrox/stackrox/actions/runs/12670019672/job/35308764568?pr=13721#step:3:135
Picture
Observations
I added some debug info in the form of printing GHA variables and git cli calls and here's what I found.
ref is: |
github.event.pull_request.head.sha (PR, CI) |
github.head_ref (PR, CI) |
absent (PR, CI) |
|---|---|---|---|
| Actual code is: | merged, unexpected | merged, unexpected | merged, expected |
git status tells |
working tree is clean | working tree is clean | working tree is clean |
git rev-parse HEAD output |
matches the head of the PR branch, expected | matches the head of the PR branch, expected | matches merge commit, same as $GITHUB_SHA, expected |
git log |
shows the head commit of PR branch, expected | shows the head commit of PR branch, expected | shows the merge commit, expected |
git branch --contains "$(git rev-parse HEAD)" |
only tells that head is detached (ok, it's a shallow clone) | shows the PR branch, expected | tells that head is detached at pull/<pr-number>/merge |
git show-ref |
fails with no-zero exit code and no output, unexpected | shows only the PR branch | shows pull/<pr-number>/merge |
$GITHUB_SHA |
present and looks like some commit (different than PR branch head) | present and looks like some commit (different than PR branch head) | is the same as git rev-parse HEAD prints, expected |
git log $GITHUB_SHA |
fails with fatal: bad object (the commit does not exist?) |
fails with fatal: bad object (the commit does not exist?) |
same as git log prints |