From d4d3193393a1ad18c1a7fa353f642e0f94ea3147 Mon Sep 17 00:00:00 2001
From: Kyle Harding <kyle@balena.io>
Date: Thu, 16 Jan 2025 15:20:49 -0500
Subject: [PATCH] Checkout the tip of the PR branch for linting jobs

These jobs do not rely on versioned source, so they
can default to the pull request HEAD sha and fallback
to the github ref for other event types.

Using the github ref is not appropriate for pull_request_target
events where the ref/sha is always the base branch.

Change-type: minor
Signed-off-by: Kyle Harding <kyle@balena.io>
---
 .github/workflows/flowzone.yml | 11 ++++-------
 flowzone.yml                   | 33 +++++++++++++++++----------------
 2 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
index 5527d8a12..f3660afa8 100644
--- a/.github/workflows/flowzone.yml
+++ b/.github/workflows/flowzone.yml
@@ -1002,6 +1002,7 @@ jobs:
           submodules: false
           persist-credentials: false
           token: ${{ github.token }}
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - name: Add problem matcher
         run: |
           curl -fsSL https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json > ${{ runner.temp }}/actionlint-matcher.json
@@ -1047,6 +1048,7 @@ jobs:
           submodules: false
           persist-credentials: false
           token: ${{ github.token }}
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - id: octoscan
         name: Run octoscan
         uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0
@@ -1078,11 +1080,6 @@ jobs:
     name: File list
     runs-on: ${{ fromJSON(inputs.runs_on) }}
     timeout-minutes: 5
-    if: |
-      (
-        github.event.action != 'closed' ||
-        github.event.pull_request.merged == true
-      )
     needs:
       - event_types
     permissions:
@@ -1106,7 +1103,7 @@ jobs:
             const { data } = await github.rest.repos.getContent({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              ref: context.ref
+              ref: context.event.pull_request.head.sha || context.ref
             });
 
             return data
@@ -1125,7 +1122,7 @@ jobs:
             const { data } = await github.rest.repos.getContent({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              ref: context.ref,
+              ref: context.event.pull_request.head.sha || context.ref,
               path: process.env.WORKING_DIRECTORY.startsWith('./') ? process.env.WORKING_DIRECTORY.slice(2) : process.env.WORKING_DIRECTORY
             });
 
diff --git a/flowzone.yml b/flowzone.yml
index 9d8389bc4..ae4362549 100644
--- a/flowzone.yml
+++ b/flowzone.yml
@@ -1168,7 +1168,6 @@ jobs:
       <<: *gitHubCliEnvironment
 
     steps:
-
       - <<: *getGitHubAppToken
         with:
           <<: *getGitHubAppTokenWith
@@ -1685,6 +1684,9 @@ jobs:
           persist-credentials: false
           # Use the automatic actions token with contents:read permissions
           token: ${{ github.token }}
+          # Checkout the tip of the pull request branch for pull request events.
+          # Checkout the event sha for other events.
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       # https://github.com/actions/toolkit/blob/master/docs/problem-matchers.md
       - name: Add problem matcher
@@ -1723,7 +1725,6 @@ jobs:
       contents: read # required for checkout without submodules
 
     steps:
-
       - <<: *getGitHubAppToken
         with:
           <<: *getGitHubAppTokenWith
@@ -1745,6 +1746,9 @@ jobs:
           persist-credentials: false
           # Use the automatic actions token with contents:read permissions
           token: ${{ github.token }}
+          # Checkout the tip of the pull request branch for pull request events.
+          # Checkout the event sha for other events.
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       # https://github.com/synacktiv/octoscan
       # https://github.com/synacktiv/action-octoscan
@@ -1794,12 +1798,6 @@ jobs:
     name: File list
     runs-on: ${{ fromJSON(inputs.runs_on) }}
     timeout-minutes: 5
-    # Do not run on PR close events for now.
-    if: |
-      (
-        github.event.action != 'closed' ||
-        github.event.pull_request.merged == true
-      )
     # Run this early in the workflow, as soon as we've validated event types
     needs:
       - event_types
@@ -1828,11 +1826,13 @@ jobs:
         with:
           github-token: ${{ github.token }}
           result-encoding: json
+          # Use the tip of the pull request branch for pull request events.
+          # Use the event sha for other events.
           script: |
             const { data } = await github.rest.repos.getContent({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              ref: context.ref
+              ref: context.event.pull_request.head.sha || context.ref
             });
 
             return data
@@ -1850,12 +1850,14 @@ jobs:
         with:
           github-token: ${{ github.token }}
           result-encoding: json
-          # remove preceeding ./ from the working directory if it exists
+          # Use the tip of the pull request branch for pull request events.
+          # Use the event sha for other events.
+          # Remove preceeding ./ from the working directory if it exists.
           script: |
             const { data } = await github.rest.repos.getContent({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              ref: context.ref,
+              ref: context.event.pull_request.head.sha || context.ref,
               path: process.env.WORKING_DIRECTORY.startsWith('./') ? process.env.WORKING_DIRECTORY.slice(2) : process.env.WORKING_DIRECTORY
             });
 
@@ -1863,7 +1865,6 @@ jobs:
               .filter(item => item.type === 'file')
               .map(item => item.name);
 
-
   # Run pre-commit hooks if the config file exists in the project root.
   # This step will fail if the hooks find any differences after running.
   # Pre-commit hooks are useful projects for that don't use npm & husky.
@@ -1919,7 +1920,7 @@ jobs:
       contents: read # Required to checkout source project, without submodules
 
     outputs:
-      npm: 'true'
+      npm: "true"
       has_npm_lockfile: ${{ contains(needs.file_list.outputs.workdir, 'package-lock.json') || contains(needs.file_list.outputs.workdir, 'npm-shrinkwrap.json') }}
       npm_private: ${{ steps.package_json.outputs.private }}
       npm_docs: ${{ steps.package_json.outputs.docs }}
@@ -1929,8 +1930,8 @@ jobs:
       max_node_version: ${{ steps.node_versions.outputs.max }}
 
     env:
-      NODE_VERSIONS: '[]'
-      PACKAGE_JSON_PATH: '${{ inputs.working_directory }}/package.json'
+      NODE_VERSIONS: "[]"
+      PACKAGE_JSON_PATH: "${{ inputs.working_directory }}/package.json"
 
     steps:
       - *checkoutEventRef
@@ -1966,7 +1967,7 @@ jobs:
 
       - <<: *setupNode
         env:
-         # renovate: datasource=node-version depName=node packageName=node-18.x
+          # renovate: datasource=node-version depName=node packageName=node-18.x
           NODE_VERSION: 18.20.5
 
       # https://www.npmjs.com/package/check-engine