fix(ci): checkout the event SHA in governance jobs (re-enable PR-time enforcement)#442
Merged
Merged
Conversation
…ce jobs
The 8 governance-reusable.yml jobs that pass `ref: ${{ github.ref }}` to
actions/checkout were failing at checkout on every PR with
"couldn't find remote ref refs/pull/<n>/merge".
Root cause: governance.yml triggers on pull_request and calls
governance-reusable.yml via workflow_call. In a reusable workflow,
github.ref inherits the caller's PR ref, which is the named merge ref
refs/pull/<n>/merge. actions/checkout cannot fetch that named ref, so the
8 jobs that requested it died at checkout — leaving governance effectively
ungated on PRs (only push-to-main runs were enforcing). The two jobs that
omit an explicit ref (workflow-staleness, validate-hypatia-baseline) were
unaffected, matching the observed 8/10 failure.
Fix: pin those checkouts to `ref: ${{ github.sha }}` — the concrete event
commit (the PR merge commit on pull_request, the pushed commit on push).
github.sha resolves to the same merge commit refs/pull/<n>/merge points
at, but is always fetchable. Content is unchanged; the diff-based jobs
(quality trufflehog base/head) already use explicit SHAs, so enforcement
semantics are preserved. The secondary `ref: main` checkouts that pull the
standards check scripts are untouched.
Estate-wide: re-enables PR-time governance enforcement across all repos
that consume this reusable workflow. Owner-approved 2026-06-27.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MJdfXv5E5gwGD2yaJq8jRM
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
Fixes the estate-wide governance failure where 8 of 10 jobs in
governance-reusable.ymldie at checkout on every PR with:(This is the
refs/pull/<n>/mergeitem flagged as out-of-scope in #441 — now resolved with owner approval.)Root cause
governance.ymltriggers onpull_requestand callsgovernance-reusable.ymlviaworkflow_call. Inside a reusable workflow,github.refinherits the caller's PR ref, which on apull_requestevent is the named merge refrefs/pull/<n>/merge. The 8 jobs that passref: ${{ github.ref }}toactions/checkouttherefore ask it togit fetch refs/pull/<n>/merge— a named ref checkout cannot resolve — and fail at the checkout step.The two jobs that omit an explicit
ref:(workflow-staleness,validate-hypatia-baseline) use checkout's default and were unaffected — exactly matching the observed 8/10.Consequence today: governance is effectively ungated on PRs — only
push-to-mainruns enforce.Fix
Pin the 8 caller-repo checkouts to
ref: ${{ github.sha }}— the concrete event commit (the PR merge commit onpull_request, the pushed commit onpush). It resolves to the same commitrefs/pull/<n>/mergepoints at, but is always fetchable. A short comment at each site explains whygithub.refmust not be used here.language-policy,package-policy,security-policy,quality,wellknown,workflow-lint,trusted-base,licence-consistency.repository: hyperpolymath/standards+ref: maincheckouts (which fetch the check scripts) are untouched.quality's trufflehog) already uses explicitgithub.sha/github.event.pull_request.base.sha, independent of the checkout ref.Blast radius (owner-acknowledged)
This re-enables PR-time governance enforcement across every repo consuming the reusable workflow. PRs that were silently passing (because the jobs never ran) may now surface real governance violations. Approved by owner 2026-06-27.
Verification
python3 -c "import yaml; yaml.safe_load(...)"→ YAML OK.ref: ${{ github.sha }}, 3 standards-checkoutref: main(unchanged). Noref: ${{ github.ref }}remains.🤖 Generated with Claude Code
Generated by Claude Code