From e480956774f33be34e77214ca39aa078f03dbb89 Mon Sep 17 00:00:00 2001 From: Tejas Kashinath Date: Wed, 20 May 2026 16:00:36 -0400 Subject: [PATCH] ci(security-review): set origin/HEAD so the bundled skill's git diff works The /security-review slash command runs `git diff origin/HEAD...` as its first action to enumerate the PR's changes. actions/checkout doesn't set up the remote's symbolic HEAD ref, so that command fails with "ambiguous argument 'origin/HEAD...': unknown revision". Claude then loops trying variants until --max-turns 30 trips and the action exits 1. Set origin/HEAD to the PR's base ref right after checkout so the skill's git invocations resolve correctly. Run #26186045056 on PR #1321 was the trigger - 30 turns spent on shell-error recovery, no findings posted. --- .github/workflows/pr-security-review.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/pr-security-review.yml b/.github/workflows/pr-security-review.yml index 86d08ddf6..131361a93 100644 --- a/.github/workflows/pr-security-review.yml +++ b/.github/workflows/pr-security-review.yml @@ -167,6 +167,19 @@ jobs: # the base branch locally too. fetch-depth: 0 grabs the full history. fetch-depth: 0 + - name: Set origin/HEAD for /security-review skill + env: + BASE_REF: ${{ steps.pr.outputs.base_ref }} + run: | + set -euo pipefail + # actions/checkout doesn't set up the remote's symbolic HEAD ref, so + # `git diff origin/HEAD...` (the first command the bundled + # /security-review skill runs) fails with "ambiguous argument + # 'origin/HEAD...': unknown revision". Point origin/HEAD at the PR's + # base branch so the skill resolves the diff against the right ref. + git remote set-head origin "$BASE_REF" + git symbolic-ref refs/remotes/origin/HEAD + - name: Configure AWS credentials (OIDC) uses: aws-actions/configure-aws-credentials@v6 with: