Skip to content

Commit 13a480e

Browse files
ci: Pin accept job to head.sha and push as fast-forward
Two related findings from review bots: 1. accept-api-changes was checking out head.ref (latest branch tip) while the matrix snapshotted head.sha (event-time tip). If the contributor pushed during the run, accept would commit old verified files on top of new code. 2. The blind 'git push' could fail non-fast-forward if the branch moved. Pin both jobs to head.sha. Push from detached HEAD to refs/heads/head.ref so the push fails fast (non-FF) if the branch advanced — re-running then regenerates a fresh snapshot against the new head.
1 parent 3711bc7 commit 13a480e

1 file changed

Lines changed: 9 additions & 2 deletions

File tree

.github/workflows/verify-api.yml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -125,10 +125,14 @@ jobs:
125125
pull-requests: write
126126

127127
steps:
128+
# Pin to the same head.sha the matrix job snapshotted against. We push
129+
# to the branch (head.ref) below — if the contributor pushed in the
130+
# meantime, the push won't fast-forward and the workflow fails. Re-running
131+
# generates a fresh snapshot against the new head. Self-healing.
128132
- name: Checkout
129133
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
130134
with:
131-
ref: ${{ github.event.pull_request.head.ref }}
135+
ref: ${{ github.event.pull_request.head.sha }}
132136

133137
# When the matrix produces no received files (clean PR), no artifact is uploaded.
134138
# download-artifact's pattern branch tolerates zero matches without erroring, so
@@ -172,7 +176,10 @@ jobs:
172176
git config --global user.email 'bot+github-bot@sentry.io'
173177
git add -A
174178
git commit -m "Accept API verifier changes"
175-
git push
179+
# Push from detached HEAD to the PR branch. Fails non-fast-forward
180+
# if the contributor pushed since we snapshotted head.sha — workflow
181+
# fails red, re-run regenerates against the new head.
182+
git push origin "HEAD:refs/heads/${{ github.event.pull_request.head.ref }}"
176183
177184
- name: Label Public API PR
178185
if: steps.detect.outputs.has_changes == 'true'

0 commit comments

Comments
 (0)