fix(ast): canonicalize friend targets

.github/workflows/ci.yml

@@ -15,19 +15,13 @@ on:
     branches:
       - develop
 
-  # pull_request_target runs repo-owned checks (e.g., Danger comments) on the base ref with the base repo token;
-  # never executes PR code.
-  pull_request_target:
-    branches:
-      - develop
 
 concurrency:
   group: ${{format('{0}:{1}', github.repository, github.ref)}}
   cancel-in-progress: true
 
 jobs:
   cpp-matrix:
-    if: github.event_name != 'pull_request_target'
     runs-on: ubuntu-24.04
     container:
       image: ubuntu:24.04
@@ -133,7 +127,6 @@ jobs:
           node .github/releases-matrix.js
 
   build:
-    if: github.event_name != 'pull_request_target'
     needs: cpp-matrix
 
     strategy:
@@ -430,8 +423,8 @@ jobs:
           git-tag: ${{ matrix.llvm-hash }}
           download-dir: ../third-party/llvm-project
           patches: |
-            ./third-party/llvm/CMakePresets.json
-            ./third-party/llvm/CMakeUserPresets.json
+            ./third-party/patches/llvm/llvm/CMakePresets.json
+            ./third-party/patches/llvm/llvm/CMakeUserPresets.json
           build-dir: ${sourceDir}/build
           preset: ${{ matrix.llvm-build-preset }}
           build-type: ${{ matrix.build-type }}
@@ -467,8 +460,8 @@ jobs:
           source-dir: ../third-party/duktape
           url: https://github.com/svaarala/duktape/releases/download/v2.7.0/duktape-2.7.0.tar.xz
           patches: |
-            ./third-party/duktape/CMakeLists.txt
-            ./third-party/duktape/duktapeConfig.cmake.in
+            ./third-party/patches/duktape/CMakeLists.txt
+            ./third-party/patches/duktape/duktapeConfig.cmake.in
           build-dir: ${sourceDir}/build
           cc: ${{ steps.setup-cpp.outputs.cc }}
           cxx: ${{ steps.setup-cpp.outputs.cxx }}
@@ -487,8 +480,8 @@ jobs:
           source-dir: ../third-party/lua
           url: https://github.com/lua/lua/archive/refs/tags/v5.4.8.tar.gz
           patches: |
-            ./third-party/lua/CMakeLists.txt
-            ./third-party/lua/LuaConfig.cmake.in
+            ./third-party/patches/lua/CMakeLists.txt
+            ./third-party/patches/lua/LuaConfig.cmake.in
           build-dir: ${sourceDir}/build
           cc: ${{ steps.setup-cpp.outputs.cc }}
           cxx: ${{ steps.setup-cpp.outputs.cxx }}
@@ -910,6 +903,17 @@ jobs:
           npx gulp lint
           npx gulp
 
+      - name: Ensure all refs for Antora
+        if: github.event_name == 'push' && (contains(fromJSON('["master", "develop"]'), github.ref_name) || startsWith(github.ref, 'refs/tags/')) && runner.os == 'Linux'
+        run: |
+          set -euo pipefail
+          # Make sure Antora sees every branch and tag from the upstream repo,
+          # regardless of who triggered the workflow.
+          git remote set-url origin https://github.com/cppalliance/mrdocs.git
+          git fetch --prune --prune-tags origin \
+            '+refs/heads/*:refs/remotes/origin/*' \
+            '+refs/tags/*:refs/tags/*'
+
       - name: Generate Remote Documentation
         working-directory: docs
         run: |
@@ -1308,33 +1312,3 @@ jobs:
           llvm_dir="/var/www/mrdox.com/llvm+clang"
           chmod 755 ${{ matrix.llvm-archive-filename }}
           scp -o StrictHostKeyChecking=no $(pwd)/${{ matrix.llvm-archive-filename }} [email protected]:$llvm_dir/
-
-  repo-checks:
-    name: Repo checks
-    # Run under pull_request_target so we can use the base-repo token to comment on forked PRs
-    # without executing forked code in this job. Declared after the matrix job so the matrix stays first in the UI.
-    if: github.event_name == 'pull_request_target'
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-      statuses: write
-    steps:
-      - name: Checkout base revision
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-
-      - name: Install repo-check tools
-        run: npm --prefix util/danger ci
-
-      - name: Repo checks (Danger)
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npx --prefix util/danger danger ci --dangerfile util/danger/dangerfile.ts

.github/workflows/pr-target-checks.yml

@@ -0,0 +1,39 @@
+name: PR Target Checks
+
+on:
+  # Uses base-repo token and never executes PR code.
+  pull_request_target:
+    branches:
+      - develop
+
+concurrency:
+  group: ${{ format('{0}:{1}:{2}', github.repository, github.ref, github.event_name) }}
+  cancel-in-progress: true
+
+jobs:
+  repo-checks:
+    name: Base-token checks
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      statuses: write
+    steps:
+      - name: Checkout base revision
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install repo-check tools
+        run: npm --prefix util/danger ci
+
+      - name: Repo checks (Danger)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx --prefix util/danger danger ci --dangerfile util/danger/dangerfile.ts