SRE 696: Fix stale approvals reusable workflow checkout for PR callers

[lunelson]

Summary

• Always checkout the shared action from hashintel/.github instead of the PR head repository
• Remove the split checkout path added in Avoid dismissing approvals on restacks alone #58 for pull_request events
• Use the reusable workflow ref when it can be resolved, with main as the pull_request fallback

Why

PR #58 made pull_request events checkout the PR head repository so changes to .github/actions/dismiss-stale-approvals could be self-tested before merge. That breaks callers in other repositories because their PR head checkout does not contain .github/actions/dismiss-stale-approvals/self-test.sh.

The reusable workflow should run the actual shared action from hashintel/.github regardless of which repository triggered the PR event.

Linear

• SRE-696

Tests

• .github/actions/dismiss-stale-approvals/self-test.sh

[cursor]

PR Summary

Low Risk
Low risk workflow-only change, but it can affect CI behavior by changing which repository/ref is checked out for the stale-approvals action (with a fallback to main).

Overview
Ensures the stale-approvals reusable workflow always checks out .github/actions/dismiss-stale-approvals from hashintel/.github (instead of conditionally checking out a PR head repo), so the action and self-test.sh are available for PR callers in other repositories.

Adds a fallback checkout ref of main when the reusable workflow ref cannot be resolved (e.g., pull_request events), while keeping the OIDC-based ref resolution for non-pull_request events.

^{Reviewed by Cursor Bugbot for commit ffd712f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the preflight-stale-approvals reusable workflow to only check out the PR head when the caller repo is hashintel/.github; other PR callers now check out hashintel/.github at the reusable workflow ref.
Why: Preserves action self-testing for .github PRs while preventing external repos from missing the shared action/self-test files.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ffd712f. Configure here.}

[cursor]

Checkout uses main on pull_request

Medium Severity

On every pull_request run (including reusable workflows invoked from another repo’s PR), Resolve reusable workflow ref is skipped and checkout uses main on hashintel/.github. Callers pinned to another ref no longer get that ref, and hashintel/.github PRs no longer exercise the PR’s action changes.

Additional Locations (1)

• .github/workflows/preflight-stale-approvals.yml#L34-L37

 

^{Reviewed by Cursor Bugbot for commit ffd712f. Configure here.}

[TimDiekmann]

If we don't make the workflow-ref job conditional, we can use the output all the time I think. It should work all the time.

[lunelson]

Superseded by #63, which uses an origin branch now that I have access to push to hashintel/.github.