🐛 fix: checkout PR head SHA for issue_comment triggered workflows (llm-d#832)

* 🐛 fix: checkout PR head SHA for issue_comment triggered workflows

When /trigger-e2e-full is used on a PR, the workflow is triggered via
issue_comment event. For this event type, github.sha points to the
default branch (main), not the PR head. This caused e2e-tests and
lint-and-test jobs to build/test main instead of the PR changes.

Fix:
- Export pr_head_sha from check-code-changes job (already computed)
- e2e-tests: use pr_head_sha output in checkout (already depends on check-code-changes)
- lint-and-test: add PR info step to resolve head SHA for issue_comment events
- When ref is empty string, actions/checkout falls back to default behavior (correct for pull_request events)

Signed-off-by: Andrew Anderson <andy@clubanderson.com>

* chore: re-trigger CI checks

Signed-off-by: Andrew Anderson <andy@clubanderson.com>

* 🐛 fix: address copilot review - security gates for issue_comment events

- Skip lint-and-test for issue_comment events (already runs on pull_request)
- Remove duplicated PR head SHA resolution from lint-and-test
- Tighten e2e-tests gate: issue_comment only runs when check-full-tests
  validates an approved trigger from a trusted collaborator
- Explicitly handle workflow_dispatch and pull_request event types

Signed-off-by: Andrew Anderson <andy@clubanderson.com>

* 🐛 fix: address round 2 copilot review

- Restore workflow_dispatch smoke-test path (run_full OR has_code_changes)
- Require check-code-changes success for issue_comment e2e runs
- Add explicit validation step to fail fast if pr_head_sha is empty

Signed-off-by: Andrew Anderson <andy@clubanderson.com>

---------

Signed-off-by: Andrew Anderson <andy@clubanderson.com>

Author: clubanderson

.github/workflows/ci-pr-checks.yaml

@@ -52,6 +52,7 @@ jobs:
       pull-requests: read  # For reading PR details when triggered via issue_comment
     outputs:
       has_code_changes: ${{ steps.set-output.outputs.has_code_changes }}
+      pr_head_sha: ${{ steps.pr-info.outputs.pr_head_sha }}
     steps:
       - name: Get PR number for issue_comment events
         id: pr-info
@@ -108,7 +109,10 @@ jobs:
             echo "has_code_changes=true" >> $GITHUB_OUTPUT
           fi
 
+  # lint-and-test already runs on pull_request events; skip for issue_comment
+  # to avoid untrusted commenters triggering execution of PR code
   lint-and-test:
+    if: github.event_name != 'issue_comment'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source
@@ -250,13 +254,32 @@ jobs:
   e2e-tests:
     runs-on: ubuntu-latest
     needs: [lint-and-test, check-code-changes, check-full-tests]
-    if: always() && (needs.check-full-tests.outputs.run_full == 'true' || (needs.check-code-changes.result == 'success' && needs.check-code-changes.outputs.has_code_changes == 'true'))
+    if: >-
+      always() && (
+        (github.event_name == 'issue_comment' && needs.check-full-tests.outputs.run_full == 'true' && needs.check-code-changes.result == 'success') ||
+        (github.event_name == 'workflow_dispatch' && (
+          needs.check-full-tests.outputs.run_full == 'true' ||
+          (needs.check-code-changes.result == 'success' && needs.check-code-changes.outputs.has_code_changes == 'true')
+        )) ||
+        (github.event_name == 'pull_request' && needs.check-code-changes.result == 'success' && needs.check-code-changes.outputs.has_code_changes == 'true')
+      )
     timeout-minutes: 60
     permissions:
       contents: read
     steps:
+      - name: Validate PR head SHA for issue_comment events
+        if: github.event_name == 'issue_comment'
+        run: |
+          if [ -z "${{ needs.check-code-changes.outputs.pr_head_sha }}" ]; then
+            echo "::error::pr_head_sha is empty — refusing to fall back to main"
+            exit 1
+          fi
+          echo "Checkout will use PR head SHA: ${{ needs.check-code-changes.outputs.pr_head_sha }}"
+
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.check-code-changes.outputs.pr_head_sha || '' }}
 
       - name: Extract Go version from go.mod
         run: sed -En 's/^go (.*)$/GO_VERSION=\1/p' go.mod >> $GITHUB_ENV