Skip to content

fix(ci): make PR policy checkout deterministic#884

Closed
BigSimmo wants to merge 2 commits into
mainfrom
codex/find-and-fix-failing-github-test
Closed

fix(ci): make PR policy checkout deterministic#884
BigSimmo wants to merge 2 commits into
mainfrom
codex/find-and-fix-failing-github-test

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 18, 2026

Copy link
Copy Markdown
Owner

Motivation

  • pull_request_target runs were non-deterministic because the workflow checked out a moving base branch ref, allowing reruns to evaluate a different trusted policy revision than the original event.
  • Deterministic checkout is required so PR metadata validation always runs the same trusted policy code that triggered the event.

Description

  • Change the PR policy workflow checkout to use the event base SHA by updating .github/workflows/pr-policy.yml to ref: ${{ github.event.pull_request.base.sha }} for deterministic runs.
  • Add self-test assertions to scripts/pr-policy.mjs that verify the workflow now contains the event base SHA and does not contain github.base_ref, preventing regression.
  • Small wording update in the workflow comment to document the deterministic checkout behavior.

Testing

  • Ran npm run check:pr-policy and it passed (self-test coverage added).
  • Ran npm run check:github-actions and it passed (action pin check passed).
  • Ran git diff --check and it reported no problems.
  • Performed npm ci in a Node 24/npm 11 environment and install completed successfully.
  • Ran npm run verify:cheap which executed the heavy offline gate and Vitest suite; the repo-wide checks and the vast majority of tests passed but tests/pdf-extraction-budget.test.ts failed with ENOENT opening /tmp/.../child.pid, which matches a known/pre-existing main-side/container issue and is not caused by this PR change.

Codex Task

Summary by CodeRabbit

  • Bug Fixes

    • Improved pull request policy checks to consistently evaluate against the exact base revision that triggered the workflow.
    • Prevented reruns from unintentionally using newer policy changes.
  • Tests

    • Added validation to ensure the workflow uses the pull request’s base commit and avoids floating branch references.

@supabase

supabase Bot commented Jul 18, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The PR policy workflow now checks out the pull request’s base commit SHA. Its self-test verifies this behavior and rejects use of the moving base branch reference.

Changes

PR policy checkout

Layer / File(s) Summary
Deterministic trusted policy checkout
.github/workflows/pr-policy.yml, scripts/pr-policy.mjs
The workflow uses github.event.pull_request.base.sha, while the self-test asserts that expression is present and github.base_ref is absent.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is informative, but it does not follow the required template: missing Summary, checkbox Verification items, and Risk and rollout. Add the template sections and checklist items: Summary, Verification checkboxes, Risk and rollback, and Notes; include any required governance items if applicable.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise and accurately describes the main change: making PR policy checkout deterministic.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/find-and-fix-failing-github-test

Comment @coderabbitai help to get the list of available commands.

@BigSimmo
BigSimmo marked this pull request as ready for review July 18, 2026 15:56

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 43c378d2f4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/pr-policy.yml
@BigSimmo
BigSimmo enabled auto-merge (squash) July 18, 2026 15:59
@BigSimmo

Copy link
Copy Markdown
Owner Author

@codex resolve actionable Codex review findings for this pull request and current head using the repository instructions. This is the pull request's single automatic repair pass: do not perform a fresh review, create new standalone findings, or request another review. Work only the existing unresolved Codex threads on the current head. Always fix P0 and P1 findings. For P2 and lower findings, fix only clear, scoped, low-risk issues; otherwise disposition them with a concise reason. After fixing or dispositioning a thread, reply in that thread with as the first line, followed by a concise summary; that marker authorizes the workflow to close that exact thread. If human input or new authorization is required, do not use the marker and leave the thread open with the blocker. Finish only after every actionable thread is fixed or dispositioned and closed, or explicitly left open for a human decision. Do not update the branch from main, address unrelated reviews, broaden scope, or create more than one scoped fix commit. Do not use external APIs, paid services, credentials, dependency changes, or broad refactors unless explicitly authorized. Add targeted tests where behavior changes and run the narrowest relevant validation.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 43c378d2f4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/pr-policy.yml
@BigSimmo BigSimmo closed this Jul 18, 2026
auto-merge was automatically disabled July 18, 2026 16:06

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant