diff --git a/.github/workflows/governance-reusable.yml b/.github/workflows/governance-reusable.yml index 43bd996f..fc2c6056 100644 --- a/.github/workflows/governance-reusable.yml +++ b/.github/workflows/governance-reusable.yml @@ -128,7 +128,15 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ github.repository }} - ref: ${{ github.ref }} + # Pin to the concrete event SHA (the PR merge commit on + # pull_request, the pushed commit on push). Do NOT use + # `ref: ${{ github.ref }}`: in a reusable workflow called from a + # pull_request, github.ref is the named merge ref + # `refs/pull//merge`, which actions/checkout cannot fetch + # ("couldn't find remote ref refs/pull//merge") — it broke 8/10 + # governance jobs on every PR estate-wide. github.sha resolves to the + # same merge commit but is always fetchable. + ref: ${{ github.sha }} # Estate language policy bans Python with no exceptions (CLAUDE.md # Language Policy; SaltStack exception removed 2026-01-03). The @@ -464,7 +472,15 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ github.repository }} - ref: ${{ github.ref }} + # Pin to the concrete event SHA (the PR merge commit on + # pull_request, the pushed commit on push). Do NOT use + # `ref: ${{ github.ref }}`: in a reusable workflow called from a + # pull_request, github.ref is the named merge ref + # `refs/pull//merge`, which actions/checkout cannot fetch + # ("couldn't find remote ref refs/pull//merge") — it broke 8/10 + # governance jobs on every PR estate-wide. github.sha resolves to the + # same merge commit but is always fetchable. + ref: ${{ github.sha }} - name: Enforce Guix primary / Nix fallback run: | HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1) @@ -492,7 +508,15 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ github.repository }} - ref: ${{ github.ref }} + # Pin to the concrete event SHA (the PR merge commit on + # pull_request, the pushed commit on push). Do NOT use + # `ref: ${{ github.ref }}`: in a reusable workflow called from a + # pull_request, github.ref is the named merge ref + # `refs/pull//merge`, which actions/checkout cannot fetch + # ("couldn't find remote ref refs/pull//merge") — it broke 8/10 + # governance jobs on every PR estate-wide. github.sha resolves to the + # same merge commit but is always fetchable. + ref: ${{ github.sha }} - name: Security checks run: | FAILED=false @@ -723,7 +747,15 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ github.repository }} - ref: ${{ github.ref }} + # Pin to the concrete event SHA (the PR merge commit on + # pull_request, the pushed commit on push). Do NOT use + # `ref: ${{ github.ref }}`: in a reusable workflow called from a + # pull_request, github.ref is the named merge ref + # `refs/pull//merge`, which actions/checkout cannot fetch + # ("couldn't find remote ref refs/pull//merge") — it broke 8/10 + # governance jobs on every PR estate-wide. github.sha resolves to the + # same merge commit but is always fetchable. + ref: ${{ github.sha }} - name: Check file permissions run: | find . -type f -perm /111 -name "*.sh" | head -10 || true @@ -772,7 +804,15 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ github.repository }} - ref: ${{ github.ref }} + # Pin to the concrete event SHA (the PR merge commit on + # pull_request, the pushed commit on push). Do NOT use + # `ref: ${{ github.ref }}`: in a reusable workflow called from a + # pull_request, github.ref is the named merge ref + # `refs/pull//merge`, which actions/checkout cannot fetch + # ("couldn't find remote ref refs/pull//merge") — it broke 8/10 + # governance jobs on every PR estate-wide. github.sha resolves to the + # same merge commit but is always fetchable. + ref: ${{ github.sha }} - name: RFC 9116 security.txt validation run: | SECTXT="" @@ -830,7 +870,15 @@ jobs: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ github.repository }} - ref: ${{ github.ref }} + # Pin to the concrete event SHA (the PR merge commit on + # pull_request, the pushed commit on push). Do NOT use + # `ref: ${{ github.ref }}`: in a reusable workflow called from a + # pull_request, github.ref is the named merge ref + # `refs/pull//merge`, which actions/checkout cannot fetch + # ("couldn't find remote ref refs/pull//merge") — it broke 8/10 + # governance jobs on every PR estate-wide. github.sha resolves to the + # same merge commit but is always fetchable. + ref: ${{ github.sha }} - name: Check SPDX headers + permissions run: | failed=0 @@ -874,7 +922,15 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ github.repository }} - ref: ${{ github.ref }} + # Pin to the concrete event SHA (the PR merge commit on + # pull_request, the pushed commit on push). Do NOT use + # `ref: ${{ github.ref }}`: in a reusable workflow called from a + # pull_request, github.ref is the named merge ref + # `refs/pull//merge`, which actions/checkout cannot fetch + # ("couldn't find remote ref refs/pull//merge") — it broke 8/10 + # governance jobs on every PR estate-wide. github.sha resolves to the + # same merge commit but is always fetchable. + ref: ${{ github.sha }} path: caller - name: Checkout standards (for the check script) uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -897,7 +953,15 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: ${{ github.repository }} - ref: ${{ github.ref }} + # Pin to the concrete event SHA (the PR merge commit on + # pull_request, the pushed commit on push). Do NOT use + # `ref: ${{ github.ref }}`: in a reusable workflow called from a + # pull_request, github.ref is the named merge ref + # `refs/pull//merge`, which actions/checkout cannot fetch + # ("couldn't find remote ref refs/pull//merge") — it broke 8/10 + # governance jobs on every PR estate-wide. github.sha resolves to the + # same merge commit but is always fetchable. + ref: ${{ github.sha }} path: caller - name: Checkout standards (for the check script) uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0