diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index 0554fd77..6b563135 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -71,13 +71,23 @@ jobs: echo "See [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests)." >> $GITHUB_STEP_SUMMARY exit 1 - - name: Check merge commit SHA - run: echo "github.event.pull_request.merge_commit_sha = ${{ github.event.pull_request.merge_commit_sha }}" - - name: Checkout source uses: actions/checkout@v4 with: - ref: "${{ github.event.pull_request.merge_commit_sha }}" + # Getting the correct commit for a pull_request_target event appears to be + # a known, problematic issue: https://github.com/actions/checkout/issues/518 + # It seems that ideally, we want github.event.pull_request.merge_commit_sha, + # but that it is not reliable, and can sometimes be a null values. It + # appears that this is the most reasonable way to ensure that we are pulling + # the same code that triggered things, based upon this particular comment: + # https://github.com/actions/checkout/issues/518#issuecomment-1661941548 + ref: "refs/pull/${{ github.event.number }}/merge" + fetch-depth: 2 + + - name: Sanity check + # Continuing from previous comment in checkout step above. + run: | + [[ "$(git rev-parse 'HEAD~2')" == "${{ github.event.pull_request.head.sha }}" ]] - name: Install package with dependencies uses: ./.github/actions/install-pkg