diff --git a/.github/workflows/ci-reporting-app-openapi.yml b/.github/workflows/ci-reporting-app-openapi.yml index d488e2fd..9a2e22d5 100644 --- a/.github/workflows/ci-reporting-app-openapi.yml +++ b/.github/workflows/ci-reporting-app-openapi.yml @@ -23,11 +23,18 @@ concurrency: jobs: update-openapi-docs: runs-on: ubuntu-latest + env: + # Pass through env so shell steps are not script-injection vectors (github.head_ref in run:) + HEAD_REF: ${{ github.head_ref }} steps: - uses: actions/checkout@v4 with: - # Checkout the feature branch associated with the pull request - ref: ${{ github.head_ref }} + # Use PR head SHA so fork PRs work (branch name from head_ref may not exist on upstream) + ref: ${{ github.event.pull_request.head.sha }} + + # Detached HEAD at SHA breaks `git push`; recreate the PR branch name at this commit for same-repo PRs + - name: Match branch for git push + run: git checkout -B "$HEAD_REF" - name: Update OpenAPI spec run: make .env openapi-spec @@ -45,4 +52,5 @@ jobs: --ignore-matching-lines='ref": .*\/[0-9a-z]{32}"$' \ --ignore-matching-lines='[ "'\'']+[0-9a-z]{32}["'\'']*:' \ || git commit -m "Update OpenAPI spec" - git push + # No upstream after checkout -B; push explicitly (same as push -u origin ) + git push origin "HEAD:refs/heads/${HEAD_REF}" diff --git a/.github/workflows/ci-reporting-app-pr-environment-checks.yml b/.github/workflows/ci-reporting-app-pr-environment-checks.yml index ef35745d..0a5f35ae 100644 --- a/.github/workflows/ci-reporting-app-pr-environment-checks.yml +++ b/.github/workflows/ci-reporting-app-pr-environment-checks.yml @@ -11,10 +11,13 @@ on: pull_request: jobs: + # Fork PRs often fail at configure-aws-credentials (no OIDC). Reliable fork detection in job-level `if` is flaky + # because `pull_request` payload fields differ from the REST API — do not re-add a “fork skip” job without verifying + # in Actions logs. Use branch protection to treat this check as optional for external contributors if needed. update: name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise uses: ./.github/workflows/pr-environment-checks.yml - if: github.event_name == 'workflow_dispatch' || github.event.pull_request.state == 'open' + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.state == 'open') with: app_name: "reporting-app" environment: "dev"