Checkout the tip of the PR branch for linting jobs

These jobs do not rely on versioned source, so they can default to the pull request HEAD sha and fallback to the github ref for other event types. Using the github ref is not appropriate for pull_request_target events where the ref/sha is always the base branch. Change-type: minor Signed-off-by: Kyle Harding <[email protected]>
product-os · Jan 16, 2025 · d4d3193 · d4d3193
1 parent c6337bf
commit d4d3193
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 23 deletions.
diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
diff --git a/flowzone.yml b/flowzone.yml
@@ -1168,7 +1168,6 @@ jobs:
       <<: *gitHubCliEnvironment
 
     steps:
-
       - <<: *getGitHubAppToken
         with:
           <<: *getGitHubAppTokenWith
@@ -1685,6 +1684,9 @@ jobs:
           persist-credentials: false
           # Use the automatic actions token with contents:read permissions
           token: ${{ github.token }}
+          # Checkout the tip of the pull request branch for pull request events.
+          # Checkout the event sha for other events.
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       # https://github.com/actions/toolkit/blob/master/docs/problem-matchers.md
       - name: Add problem matcher
@@ -1723,7 +1725,6 @@ jobs:
       contents: read # required for checkout without submodules
 
     steps:
-
       - <<: *getGitHubAppToken
         with:
           <<: *getGitHubAppTokenWith
@@ -1745,6 +1746,9 @@ jobs:
           persist-credentials: false
           # Use the automatic actions token with contents:read permissions
           token: ${{ github.token }}
+          # Checkout the tip of the pull request branch for pull request events.
+          # Checkout the event sha for other events.
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       # https://github.com/synacktiv/octoscan
       # https://github.com/synacktiv/action-octoscan
@@ -1794,12 +1798,6 @@ jobs:
     name: File list
     runs-on: ${{ fromJSON(inputs.runs_on) }}
     timeout-minutes: 5
-    # Do not run on PR close events for now.
-    if: |
-      (
-        github.event.action != 'closed' ||
-        github.event.pull_request.merged == true
-      )
     # Run this early in the workflow, as soon as we've validated event types
     needs:
       - event_types
@@ -1828,11 +1826,13 @@ jobs:
         with:
           github-token: ${{ github.token }}
           result-encoding: json
+          # Use the tip of the pull request branch for pull request events.
+          # Use the event sha for other events.
           script: |
             const { data } = await github.rest.repos.getContent({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              ref: context.ref
+              ref: context.event.pull_request.head.sha || context.ref
             });
 
             return data
@@ -1850,20 +1850,21 @@ jobs:
         with:
           github-token: ${{ github.token }}
           result-encoding: json
-          # remove preceeding ./ from the working directory if it exists
+          # Use the tip of the pull request branch for pull request events.
+          # Use the event sha for other events.
+          # Remove preceeding ./ from the working directory if it exists.
           script: |
             const { data } = await github.rest.repos.getContent({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              ref: context.ref,
+              ref: context.event.pull_request.head.sha || context.ref,
               path: process.env.WORKING_DIRECTORY.startsWith('./') ? process.env.WORKING_DIRECTORY.slice(2) : process.env.WORKING_DIRECTORY
             });
 
             return data
               .filter(item => item.type === 'file')
               .map(item => item.name);
 
-
   # Run pre-commit hooks if the config file exists in the project root.
   # This step will fail if the hooks find any differences after running.
   # Pre-commit hooks are useful projects for that don't use npm & husky.
@@ -1919,7 +1920,7 @@ jobs:
       contents: read # Required to checkout source project, without submodules
 
     outputs:
-      npm: 'true'
+      npm: "true"
       has_npm_lockfile: ${{ contains(needs.file_list.outputs.workdir, 'package-lock.json') || contains(needs.file_list.outputs.workdir, 'npm-shrinkwrap.json') }}
       npm_private: ${{ steps.package_json.outputs.private }}
       npm_docs: ${{ steps.package_json.outputs.docs }}
@@ -1929,8 +1930,8 @@ jobs:
       max_node_version: ${{ steps.node_versions.outputs.max }}
 
     env:
-      NODE_VERSIONS: '[]'
-      PACKAGE_JSON_PATH: '${{ inputs.working_directory }}/package.json'
+      NODE_VERSIONS: "[]"
+      PACKAGE_JSON_PATH: "${{ inputs.working_directory }}/package.json"
 
     steps:
       - *checkoutEventRef
@@ -1966,7 +1967,7 @@ jobs:
 
       - <<: *setupNode
         env:
-         # renovate: datasource=node-version depName=node packageName=node-18.x
+          # renovate: datasource=node-version depName=node packageName=node-18.x
           NODE_VERSION: 18.20.5
 
       # https://www.npmjs.com/package/check-engine