From 68f87deca228ad2b6b07c4eb64f201c0838e494f Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Tue, 12 May 2026 09:20:17 +0300 Subject: ci(ai-validation): stop retargeting origin to fork URL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous CR-driven fix (7a7a8002) re-pointed origin to the PR's HEAD fork on the assumption that claude-code-action calls `git fetch origin `. That assumption is wrong for fork PRs: the action detects a fork PR and fetches `pull//head` instead, and those refs only exist on the base repo. Retargeting origin to the fork therefore breaks the fork-PR fetch path with: PR # is from a fork, fetching via refs/pull//head... fatal: couldn't find remote ref pull//head Observed on run 25689321499 (PR #1891 from natali-rs1985/vyos-documentation). Leave origin pointed at vyos/vyos-documentation (the base repo) — that's where actions/checkout left it after the merge-ref checkout, and where `pull//head` resolves. Replace the step with an explanatory comment. 🤖 Generated by [robots](https://vyos.io) --- .github/workflows/ai-validation.yml | 28 +++++++--------------------- 1 file changed, 7 insertions(+), 21 deletions(-) (limited to '.github/workflows') diff --git a/.github/workflows/ai-validation.yml b/.github/workflows/ai-validation.yml index 993d1876..2060e042 100644 --- a/.github/workflows/ai-validation.yml +++ b/.github/workflows/ai-validation.yml @@ -293,27 +293,13 @@ jobs: persist-credentials: false fetch-depth: 2 - # claude-code-action subsequently runs `git fetch origin ` - # internally during its setup. `` is the branch name in - # the PR's HEAD repo — for fork PRs that branch does NOT exist on - # the base repo (which is what `origin` points at after the merge- - # ref checkout above), so the fetch fails with - # fatal: couldn't find remote ref refs/heads/ - # - # Re-point origin to the HEAD repo's URL so the action's fetch - # resolves. The workspace tree is unchanged — it remains the merge - # tree from above. For public forks (the only kind that target - # vyos/vyos-documentation, since the repo is public) the - # unauthenticated fetch from the fork succeeds without any credential - # (persist-credentials:false stripped the extraheader at the end of - # the previous step). - - name: Re-point origin to fork URL for claude-code-action's git fetch - if: steps.secrets-check.outputs.skip != 'true' - env: - FORK: ${{ github.event.pull_request.head.repo.full_name }} - run: | - set -euo pipefail - git remote set-url origin "https://github.com/$FORK" + # Note: claude-code-action runs `git fetch origin pull//head` for + # fork PRs during its setup. Those refs only exist on the base repo, + # so `origin` must remain pointed at vyos/vyos-documentation (which + # is where actions/checkout above left it). Do NOT retarget origin + # to the fork URL — that breaks the fork-PR fetch path with + # fatal: couldn't find remote ref pull//head + # (verified on run 25689321499, PR #1891). # Defense-in-depth: actions/checkout above brings the PR's merge # tree into the workspace root, which means a malicious fork could -- cgit v1.2.3