fix(ci): use pull_request.head.sha in validate-lockfile git diff

[sjackson0109]

Problem

In a pull_request_target workflow, ${{ github.sha }} resolves to the base branch HEAD (i.e. develop), not the PR head commit. The checkout step correctly uses ${{ github.event.pull_request.head.sha }} to check out the fork's code, but the subsequent git diff command still uses ${{ github.sha }}:

git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > changed.txt

When a PR comes from a fork, ${{ github.sha }} refers to a commit that does not exist in the fork's cloned history. This causes:

fatal: bad object <sha-of-upstream-develop>

Because the script runs under set -e, it exits immediately — before the issues array is ever populated. The workflow then posts a "Lockfile Validation Failed" comment with a blank body, causing confusion and a false-positive failure on every fork PR that touches pnpm-lock.yaml or package.json.

Fix

Replace ${{ github.sha }} → ${{ github.event.pull_request.head.sha }} so the diff compares the correct two commits: the PR base vs the PR head.

- git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > changed.txt
+ git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} > changed.txt

Verification

This was originally diagnosed while investigating CI failures on PR #7700 (a fork PR touching package.json). Checked manually: all three lockfile validations pass; only the git diff step fails with the bad object error.

The actions/checkout step on the line immediately above already uses github.event.pull_request.head.sha — consistency is also improved by this change.

[netlify]

✅ Deploy Preview for mermaid-js ready!

Name	Link
🔨 Latest commit	17abbd0
🔍 Latest deploy log	https://app.netlify.com/projects/mermaid-js/deploys/69fb7b4e4e55a5000874ff40
😎 Deploy Preview	https://deploy-preview-7716--mermaid-js.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 17abbd0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@mermaid-js/examples

npm i https://pkg.pr.new/@mermaid-js/examples@7716

mermaid

npm i https://pkg.pr.new/mermaid@7716

@mermaid-js/layout-elk

npm i https://pkg.pr.new/@mermaid-js/layout-elk@7716

@mermaid-js/layout-tidy-tree

npm i https://pkg.pr.new/@mermaid-js/layout-tidy-tree@7716

@mermaid-js/mermaid-zenuml

npm i https://pkg.pr.new/@mermaid-js/mermaid-zenuml@7716

@mermaid-js/parser

npm i https://pkg.pr.new/@mermaid-js/parser@7716

@mermaid-js/tiny

npm i https://pkg.pr.new/@mermaid-js/tiny@7716

commit: 17abbd0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.30%. Comparing base (98b3155) to head (17abbd0).

Additional details and impacted files

@@            Coverage Diff             @@
##           develop   #7716      +/-   ##
==========================================
- Coverage     3.30%   3.30%   -0.01%     
==========================================
  Files          560     561       +1     
  Lines        58344   58355      +11     
  Branches       873     873              
==========================================
  Hits          1928    1928              
- Misses       56416   56427      +11     

Flag	Coverage Δ
unit	3.30% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[argos-ci]

The latest updates on your projects. Learn more about Argos notifications ↗︎

Build	Status	Details	Updated (UTC)
default (Inspect)	👍 Changes approved	11 changed	May 6, 2026, 5:44 PM

[sjackson0109]

@knsv - please can you review and hopefully approve?

This is intended to fix the SHA hard-coded issue affecting the Validate pnpm-lock.yaml / validate-lockfile pipeline task.

[knsv]

Nice catch and clean fix. Diagnosis is correct: under pull_request_target, ${{ github.sha }} resolves to the base branch HEAD, not the PR head, so the git diff resolved a commit that wasn't in the fork's cloned history and tripped set -e before issues was populated — producing the empty "Lockfile Validation Failed" comment.

Replacing it with ${{ github.event.pull_request.head.sha }} matches what the actions/checkout step on the line above already uses, so the workflow is now internally consistent and the diff actually resolves. CI is green. LGTM.

[aloisklink]

LGTM to me too.

It looks like this issue has been around since #7116

As a warning to other reviewers (e.g. @knsv), this validate-lockfile.yml uses pull_request_target, so changes to this are extremely dangerous and should be reviewed carefully.

But using github.event.pull_request.head.sha instead of github.sha is safe.

[mermaid-bot]

@sjackson0109, Thank you for the contribution!
You are now eligible for a year of Premium account on MermaidChart.
Sign up with your GitHub account to activate.

[sjackson0109]

Thanks for the approval and merge.