Summary
The "Update pre-commit hooks and run pre-commit" job in .github/workflows/pre-commit.yaml fails at the Checkout step for any pull request opened from a fork. The job fetches the PR head branch by name from the base repo, where that branch does not exist.
Evidence
Observed on PR #286 (head branch lives on a fork). The checkout step runs:
git fetch ... origin +refs/heads/*:... (origin = https://github.com/dreadnode/DreadGOAD)
The process /usr/bin/git failed with exit code 1
Root cause
In .github/workflows/pre-commit.yaml the checkout is configured as:
ref: ${{ github.event.pull_request.head.ref || github.ref }}
with no repository: input. Per the actions/checkout docs, repository defaults to ${{ github.repository }} (the base repo), and ref is fetched from that repository. For a fork PR the head branch only exists on the fork, so fetching it from the base repo fails.
References:
Note that the sibling autofix job (the one that pushes pre-commit fixes back) already guards against forks with !github.event.pull_request.head.repo.fork, so fork PRs are a known edge case for one job but not the other.
Suggested fix
For the checkout that runs pre-commit on fork PRs, point the checkout at the fork:
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
Caveat: this fixes the read-only checkout/run. If this job (or its autofix counterpart) also pushes commits back to the PR branch, that push will fail for forks with the default token, so the push step should be guarded against forks the same way the sibling job already is (or skipped for fork PRs).
Impact
Every fork to upstream PR fails this check until merged by an admin who can bypass it.
Summary
The "Update pre-commit hooks and run pre-commit" job in .github/workflows/pre-commit.yaml fails at the Checkout step for any pull request opened from a fork. The job fetches the PR head branch by name from the base repo, where that branch does not exist.
Evidence
Observed on PR #286 (head branch lives on a fork). The checkout step runs:
git fetch ... origin +refs/heads/*:... (origin = https://github.com/dreadnode/DreadGOAD)
The process /usr/bin/git failed with exit code 1
Root cause
In .github/workflows/pre-commit.yaml the checkout is configured as:
ref: ${{ github.event.pull_request.head.ref || github.ref }}
with no repository: input. Per the actions/checkout docs, repository defaults to ${{ github.repository }} (the base repo), and ref is fetched from that repository. For a fork PR the head branch only exists on the fork, so fetching it from the base repo fails.
References:
Note that the sibling autofix job (the one that pushes pre-commit fixes back) already guards against forks with !github.event.pull_request.head.repo.fork, so fork PRs are a known edge case for one job but not the other.
Suggested fix
For the checkout that runs pre-commit on fork PRs, point the checkout at the fork:
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
Caveat: this fixes the read-only checkout/run. If this job (or its autofix counterpart) also pushes commits back to the PR branch, that push will fail for forks with the default token, so the push step should be guarded against forks the same way the sibling job already is (or skipped for fork PRs).
Impact
Every fork to upstream PR fails this check until merged by an admin who can bypass it.