fix: support fork PRs in commit-recordings workflow#5204
Merged
cdoern merged 3 commits intollamastack:mainfrom Mar 19, 2026
Merged
fix: support fork PRs in commit-recordings workflow#5204cdoern merged 3 commits intollamastack:mainfrom
cdoern merged 3 commits intollamastack:mainfrom
Conversation
meta-cla
bot
added
the
CLA Signed
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/commit-recordings.yml
Dismissed
Comment on lines
+161
to
+170
| - name: Checkout PR branch (same-repo) | ||
| if: steps.pr-info.outputs.skip != 'true' && steps.pr-info.outputs.is_fork_pr != 'true' | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| repository: ${{ steps.pr-info.outputs.head_repo }} | ||
| ref: ${{ steps.pr-info.outputs.head_ref }} | ||
| fetch-depth: 0 | ||
| token: ${{ github.token }} | ||
|
|
||
| - name: Restore artifacts after checkout |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in trusted context High
Collaborator
Author
There was a problem hiding this comment.
This is a false positive. The workflow_run checkout is only used to get the branch state for committing recording files on top of. No code from the checkout is executed - the subsequent steps only run cp, git add, git commit, and git push. The recording files themselves are generated by the unprivileged pull_request-triggered workflow and passed via artifacts
- Fix empty headRepository.nameWithOwner for fork PRs by constructing repo name from headRepositoryOwner.login/headRepository.name - Split checkout into same-repo and fork paths since github.token cannot clone fork repos - Use RELEASE_PAT for fork checkout and push (repo scope needed) - Preserve recording artifacts across checkout (moved to /tmp) Signed-off-by: Charlie Doern <cdoern@redhat.com>
cdoern
force-pushed
the
fix-fork-pr-recordings
branch
from
b5e64c7 to
6931c36
Compare
cdoern
requested review from
ashwinb,
bbrowning,
ehhuang,
franciscojavierarceo,
leseb,
mattf and
raghotham
as code owners
leseb
approved these changes
Mar 19, 2026
Signed-off-by: Charlie Doern <cdoern@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
headRepository.nameWithOwnerfromgh pr viewfor fork PRs by constructing repo name fromheadRepositoryOwner.login/headRepository.namegithub.tokencannot clone fork reposRELEASE_PAT(classic PAT withreposcope) for fork checkout and push, asmaintainerCanModifyrequires a maintainer's credentials/tmpTest plan
headRepository.nameWithOwneris empty for all PRs viagh pr viewheadRepositoryOwner.login/headRepository.nameconstruction works for both fork and same-repo PRs