workflows: check out v22.21.1 so Dockerfile.Packages is present

harshita-gupta · claude · harshita-gupta · commit 94a22912d74a · 2026-04-21T16:20:41.000-07:00
When dispatched from main, `actions/checkout@v3` pulls main (the workflow's
trigger ref) — but Dockerfile.Packages only lives on the v22.21.1 branch, so
the Docker build step fails with "open Dockerfile.Packages: no such file or
directory". Pinning `ref: ${{ env.NODE_VERSION }}` on the checkout keeps
workflow_ref (OIDC subject claim) on main while giving the build access to
the v22.21.1 tree.

Does not expand the attack surface: the Node source already lives on the
unprotected v22.21.1 branch, so any collaborator capable of modifying
Dockerfile.Packages could already modify the binaries we ship. A follow-up
PR will propose a structural fix.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build-node-packages.yml b/.github/workflows/build-node-packages.yml
@@ -36,8 +36,24 @@ jobs:
       REPO: ${{ github.repository }}
 
     steps:
+      # Check out the v22.21.1 branch (not the workflow's default branch) so that
+      # Dockerfile.Packages and the Node source tree are present. The workflow YAML
+      # itself runs from whichever ref triggered it (main for workflow_dispatch, or
+      # v22.21.1 for workflow_run) — that's what the OIDC subject claim binds to,
+      # and it's how the IAM role's ref_patterns gate works. `ref:` here only
+      # controls which tree gets checked out into $GITHUB_WORKSPACE.
+      #
+      # Security note: v22.21.1 is not a protected branch, so in principle any of
+      # the repo's ~530 collaborators could push a malicious Dockerfile.Packages
+      # and have this workflow build+upload the resulting image. That same risk
+      # already existed for the Node source itself (which also lives on this
+      # branch), so this change does not expand the attack surface. A follow-up
+      # PR will propose a structural fix (branch protection, patch series, or
+      # submodule model) — tracked in our internal project notes.
       - name: Checkout repository
         uses: actions/checkout@v3
+        with:
+          ref: ${{ env.NODE_VERSION }}
 
       - name: Debug Matrix Values
         run: |
