Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(ci): unbreak cherry-pick automation after actions/checkout v7 bump#16374

Merged
Joibel merged 1 commit into
argoproj:mainfrom
Joibel:fix-cherry-pick-checkout-v7
Jul 3, 2026
Merged

fix(ci): unbreak cherry-pick automation after actions/checkout v7 bump#16374
Joibel merged 1 commit into
argoproj:mainfrom
Joibel:fix-cherry-pick-checkout-v7

Conversation

@Joibel

@Joibel Joibel commented Jul 3, 2026

Copy link
Copy Markdown
Member

Motivation

Since #16342 bumped actions/checkout to v7.0.0, every automated cherry-pick of a fork PR has failed at the checkout step, e.g. this run for #16357.

checkout v7 (actions/checkout#2454) refuses to check out fork PR code from pull_request_target workflows unless allow-unsafe-pr-checkout: true is set. Its guard compares the resolved checkout commit against pull_request.head.sha and pull_request.merge_commit_sha. On a just-merged fork PR the default checkout commit is the base branch tip, which is the merge commit SHA, so the guard fires even though only merged, reviewed code is being checked out. PRs from branches in argoproj are unaffected, which is why this wasn't caught by every cherry-pick.

The failure was invisible on the original PRs because the Comment on failure step relied on the (failed) checkout for repo context and errored with not a git repository.

Modifications

  • Pass an explicit ref: main to checkout so the guard's commit comparison no longer applies. This keeps the fork-PR guard active rather than opting out with allow-unsafe-pr-checkout: true, and is semantically identical: main's tip contains the merge commit, and the script cherry-picks by SHA.
  • Set GH_REPO on the Comment on failure step so failures are reported on the original PR even when checkout fails.

Verification

Root cause confirmed by reading the failed run logs and the guard implementation in src/unsafe-pr-checkout-helper.ts @ v7.0.0: with an explicit ref, the commit input is empty, so none of the guard's three match conditions (head repo, refs/pull/* ref, PR SHA) apply.

After merging, the missed cherry-picks (#16357, #16274, #15991, and #16223/#16302 for 3.7) can be re-triggered by removing and re-adding their cherry-pick/* labels.

AI

Diagnosed and authored with Claude Code (Claude Fable 5), directed and reviewed by me.

πŸ€– Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes
    • Improved the reliability of an automated repository workflow so it can continue handling failed checkouts and leave the appropriate comment.
    • Made the workflow less likely to be blocked by checkout behavior in pull request-related runs.

actions/checkout v7.0.0 (actions/checkout#2454) refuses to check out
fork PR code from pull_request_target workflows unless
allow-unsafe-pr-checkout is set. On a merged fork PR the default
checkout commit is the base branch tip, which equals
pull_request.merge_commit_sha, so the guard fires even though only
merged, reviewed code is being checked out. Since argoproj#16342 bumped
checkout to v7, every cherry-pick of a fork PR has failed at checkout.

Give checkout an explicit 'ref: main' so the guard's commit comparison
no longer applies; the merge commit is still reachable and is
cherry-picked by SHA.

Also set GH_REPO on the failure comment step: it previously needed the
(failed) checkout for repo context, so checkout failures were never
reported on the PR.

Co-Authored-By: Claude Fable 5 <[email protected]>
Signed-off-by: Alan Clucas <[email protected]>
@Joibel Joibel marked this pull request as ready for review July 3, 2026 09:21
@Joibel Joibel requested a review from a team as a code owner July 3, 2026 09:21
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

πŸ“ Walkthrough

Walkthrough

This change modifies a GitHub Actions workflow file to explicitly set the checkout ref to main, avoiding a checkout v7 fork-PR guard issue, and adds a GH_REPO environment variable to the failure-comment step so it functions independent of local git checkout state.

Changes

Workflow checkout and failure handling fix

Layer / File(s) Summary
Explicit checkout ref and failure comment env fix
.github/workflows/cherry-pick-single.yml
Checkout step now explicitly sets ref: main with comments explaining avoidance of checkout v7 fork-PR guard behavior; failure-comment step's environment gains GH_REPO: ${{ github.repository }} to run without relying on local git repo context.

Estimated code review effort: 1 (Trivial) | ~5 minutes

πŸš₯ Pre-merge checks | βœ… 5
βœ… Passed checks (5 passed)
Check name Status Explanation
Title check βœ… Passed The title clearly summarizes the CI fix for cherry-pick automation after the actions/checkout v7 bump.
Description check βœ… Passed The description covers motivation, changes, verification, and AI use in detail; only the issue link and documentation section are missing.
Docstring Coverage βœ… Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check βœ… Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check βœ… Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
πŸ§ͺ Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/cherry-pick-single.yml (1)

43-47: πŸ”’ Security & Privacy | πŸ”΅ Trivial | πŸ’€ Low value

zizmor artipacked warning is a false positive here.

Persisted credentials from checkout appear intentional β€” the later git push origin "$CHERRY_PICK_BRANCH" step relies on them since no explicit token-based remote is configured. Setting persist-credentials: false would break that push unless the remote URL is reconfigured with the token. This predates the current diff, so no action needed unless you want to harden it.

πŸ€– Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cherry-pick-single.yml around lines 43 - 47, The warning
about persisted credentials in the Checkout repository step is a false positive,
and the later git push in the cherry-pick flow depends on those credentials;
keep the actions/checkout configuration in place unless you also update the push
logic. If you choose to harden it, adjust the cherry-pick workflow so the remote
is explicitly reconfigured with the generated token before changing
persist-credentials, and verify the CHERRY_PICK_BRANCH push still works.

Source: Linters/SAST tools

πŸ€– Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/cherry-pick-single.yml:
- Around line 43-47: The warning about persisted credentials in the Checkout
repository step is a false positive, and the later git push in the cherry-pick
flow depends on those credentials; keep the actions/checkout configuration in
place unless you also update the push logic. If you choose to harden it, adjust
the cherry-pick workflow so the remote is explicitly reconfigured with the
generated token before changing persist-credentials, and verify the
CHERRY_PICK_BRANCH push still works.

ℹ️ Review info
βš™οΈ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aaf29685-51aa-43a7-b0c4-9fd92df11af3

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between a65c331 and 562d3d0.

πŸ“’ Files selected for processing (1)
  • .github/workflows/cherry-pick-single.yml

@Joibel Joibel enabled auto-merge (squash) July 3, 2026 09:33
@Joibel Joibel merged commit 4284f07 into argoproj:main Jul 3, 2026
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants