Replace gh pr checkout with git fetch refs/pull to avoid GH_HOST issues#26136
Merged
Replace gh pr checkout with git fetch refs/pull to avoid GH_HOST issues#26136
gh pr checkout with git fetch refs/pull to avoid GH_HOST issues#26136Conversation
… issues Replace `gh pr checkout` with pure git operations (`git fetch origin +refs/pull/N/head` + `git checkout -B`) for PR checkout in non-fork pull_request_target, issue_comment, and other PR event handlers. GitHub exposes refs/pull/N/head for all PRs including forks, so this works universally. Git operations use remote URLs directly and are unaffected by GH_HOST overrides from the DIFC proxy, eliminating the need for the getGhEnvBypassingIntegrityFilteringForGitOps helper. Also removes the now-unused getGitHubHost() and getGhEnvBypassingIntegrityFilteringForGitOps() from git_helpers.cjs.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes reliance on gh pr checkout for checking out pull request branches and replaces it with a pure-git flow (git fetch origin +refs/pull/N/head:... + git checkout -B ...), avoiding failures caused by GH_HOST overrides (e.g., DIFC proxy).
Changes:
- Replace
gh pr checkoutwithgit fetch origin +refs/pull/N/headandgit checkout -Bincheckout_pr_branch.cjs. - Remove now-unused
GH_HOST/host-derivation helpers fromgit_helpers.cjs. - Update the checkout test suite to assert the new git-based behavior and drop GH_HOST-override coverage.
Show a summary per file
| File | Description |
|---|---|
| actions/setup/js/checkout_pr_branch.cjs | Switch checkout strategy from gh CLI to fetching refs/pull/N/head and checking out a local branch from the fetched ref. |
| actions/setup/js/git_helpers.cjs | Remove GH_HOST/GHE host derivation helpers that no longer have consumers. |
| actions/setup/js/checkout_pr_branch.test.cjs | Update tests to validate the new fetch-by-ref checkout flow and remove GH_HOST override expectations. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (2)
actions/setup/js/checkout_pr_branch.cjs:180
- The else-branch now always calls the GitHub API (
fetchPRDetails) to getcommitCountandheadRef, even when the event payload already containspullRequest.commitsandpullRequest.head.ref(e.g.pull_request_target,pull_requestfork payloads). This adds avoidable latency and increases the chance of rate-limit / transient API failures. Prefer using the payload values when present, only falling back to the API when the data is missing (likeissue_comment).
// Get PR details from API to determine head ref name and commit count
const { commitCount, headRef } = await fetchPRDetails(prNumber);
const fetchDepth = (commitCount || 1) + 1; // +1 to include the merge base
actions/setup/js/checkout_pr_branch.cjs:187
git checkout -B ${branchName} origin/pr-headforce-resets/overwrites any existing local branch with the same name. On persistent workspaces (e.g. self-hosted runners or scripts re-run in the same directory) this can clobber local state unexpectedly. Consider always checking out to a unique, namespaced branch (e.g.pr-${prNumber}) and/or avoiding-Bunless you explicitly want to reset an existing branch.
const branchName = headRef || `pr-${prNumber}`;
core.info(`Checking out branch: ${branchName}`);
await exec.exec("git", ["checkout", "-B", branchName, "origin/pr-head"]);
- Files reviewed: 3/3 changed files
- Comments generated: 2
dsyme
force-pushed
the
fix/replace-gh-pr-checkout-with-git-ops
branch
from
dbf0eb0 to
f2b0140
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces
gh pr checkoutwith pure git operations for PR checkout incheckout_pr_branch.cjs, eliminating the dependency onGH_HOSTand avoiding DIFC proxy conflicts.Problem
When the DIFC proxy is active, it sets
GH_HOST=localhost:18443which causesgh pr checkoutto fail because the proxy address doesn't match any git remote. The previous fix (getGhEnvBypassingIntegrityFilteringForGitOps) worked around this by overridingGH_HOSTper-call, but this is fragile and requires maintenance.Solution
Use
git fetch origin +refs/pull/N/head:refs/remotes/origin/pr-headfollowed bygit checkout -B {branch} origin/pr-headinstead ofgh pr checkout. Git operations use remote URLs directly and are completely unaffected byGH_HOST.GitHub exposes
refs/pull/N/headfor all PRs, including fork PRs, so this works universally.Changes
checkout_pr_branch.cjs: Replacegh pr checkoutwithgit fetch refs/pull/N/head+git checkout -B. Fetches the correct depth upfront via the API (no separate history-deepening step needed). Removegit_helpers.cjsimport.git_helpers.cjs: RemovegetGitHubHost()andgetGhEnvBypassingIntegrityFilteringForGitOps()— no consumers remain.checkout_pr_branch.test.cjs: Update all 47 tests to validate the new git-based checkout flow rather thangh pr checkout. Remove the GH_HOST override test group.Testing
All 47 checkout tests + 19 git_helpers tests pass.