Skip to content

fix(ci): checkout the event SHA in governance jobs (re-enable PR-time enforcement)#442

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/hypatia-scan-cache-licence-rup52j
Jun 27, 2026
Merged

fix(ci): checkout the event SHA in governance jobs (re-enable PR-time enforcement)#442
hyperpolymath merged 1 commit into
mainfrom
claude/hypatia-scan-cache-licence-rup52j

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Summary

Fixes the estate-wide governance failure where 8 of 10 jobs in governance-reusable.yml die at checkout on every PR with:

fatal: couldn't find remote ref refs/pull/<n>/merge

(This is the refs/pull/<n>/merge item flagged as out-of-scope in #441 — now resolved with owner approval.)

Root cause

governance.yml triggers on pull_request and calls governance-reusable.yml via workflow_call. Inside a reusable workflow, github.ref inherits the caller's PR ref, which on a pull_request event is the named merge ref refs/pull/<n>/merge. The 8 jobs that pass ref: ${{ github.ref }} to actions/checkout therefore ask it to git fetch refs/pull/<n>/merge — a named ref checkout cannot resolve — and fail at the checkout step.

The two jobs that omit an explicit ref: (workflow-staleness, validate-hypatia-baseline) use checkout's default and were unaffected — exactly matching the observed 8/10.

Consequence today: governance is effectively ungated on PRs — only push-to-main runs enforce.

Fix

Pin the 8 caller-repo checkouts to ref: ${{ github.sha }} — the concrete event commit (the PR merge commit on pull_request, the pushed commit on push). It resolves to the same commit refs/pull/<n>/merge points at, but is always fetchable. A short comment at each site explains why github.ref must not be used here.

  • Affected jobs: language-policy, package-policy, security-policy, quality, wellknown, workflow-lint, trusted-base, licence-consistency.
  • The 3 secondary repository: hyperpolymath/standards + ref: main checkouts (which fetch the check scripts) are untouched.
  • Content/enforcement semantics are preserved: the diff-based step (quality's trufflehog) already uses explicit github.sha / github.event.pull_request.base.sha, independent of the checkout ref.

Blast radius (owner-acknowledged)

This re-enables PR-time governance enforcement across every repo consuming the reusable workflow. PRs that were silently passing (because the jobs never ran) may now surface real governance violations. Approved by owner 2026-06-27.

Verification

  • python3 -c "import yaml; yaml.safe_load(...)"YAML OK.
  • Structural check: 13 checkout steps total — 2 bare (unchanged), 8 now ref: ${{ github.sha }}, 3 standards-checkout ref: main (unchanged). No ref: ${{ github.ref }} remains.

🤖 Generated with Claude Code


Generated by Claude Code

…ce jobs

The 8 governance-reusable.yml jobs that pass `ref: ${{ github.ref }}` to
actions/checkout were failing at checkout on every PR with
"couldn't find remote ref refs/pull/<n>/merge".

Root cause: governance.yml triggers on pull_request and calls
governance-reusable.yml via workflow_call. In a reusable workflow,
github.ref inherits the caller's PR ref, which is the named merge ref
refs/pull/<n>/merge. actions/checkout cannot fetch that named ref, so the
8 jobs that requested it died at checkout — leaving governance effectively
ungated on PRs (only push-to-main runs were enforcing). The two jobs that
omit an explicit ref (workflow-staleness, validate-hypatia-baseline) were
unaffected, matching the observed 8/10 failure.

Fix: pin those checkouts to `ref: ${{ github.sha }}` — the concrete event
commit (the PR merge commit on pull_request, the pushed commit on push).
github.sha resolves to the same merge commit refs/pull/<n>/merge points
at, but is always fetchable. Content is unchanged; the diff-based jobs
(quality trufflehog base/head) already use explicit SHAs, so enforcement
semantics are preserved. The secondary `ref: main` checkouts that pull the
standards check scripts are untouched.

Estate-wide: re-enables PR-time governance enforcement across all repos
that consume this reusable workflow. Owner-approved 2026-06-27.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MJdfXv5E5gwGD2yaJq8jRM
@hyperpolymath hyperpolymath marked this pull request as ready for review June 27, 2026 19:08
@hyperpolymath hyperpolymath merged commit 8dc2bf0 into main Jun 27, 2026
18 of 19 checks passed
@hyperpolymath hyperpolymath deleted the claude/hypatia-scan-cache-licence-rup52j branch June 27, 2026 19:09
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants