Skip to content

fix(ci): use merge commit ref in backport workflow for fork PRs#820

Merged
raballew merged 1 commit into
jumpstarter-dev:mainfrom
raballew:fix/backport-merge-commit-ref
Jun 23, 2026
Merged

fix(ci): use merge commit ref in backport workflow for fork PRs#820
raballew merged 1 commit into
jumpstarter-dev:mainfrom
raballew:fix/backport-merge-commit-ref

Conversation

@raballew

Copy link
Copy Markdown
Member

Summary

  • The backport workflow uses pull_request_target, which runs with the base repo's privileges (secrets, tokens, cache)
  • Recent actions/checkout versions now block checking out fork PR code in this context to prevent "pwn request" attacks
  • Since the backport only runs on already-merged PRs, this switches from head.sha (fork code) to merge_commit_sha (base repo code) -- avoiding the security issue entirely

Test plan

  • Merge a fork PR with a backport/* label and verify the backport PR is created correctly

🤖 Generated with Claude Code

The backport workflow uses pull_request_target which runs with the base
repo's privileges. Recent actions/checkout versions now block checking
out fork PR code in this context to prevent "pwn request" attacks.
Since the backport only runs on already-merged PRs, use the merge
commit SHA from the base repo instead of the fork's head SHA.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 965f037f-11ef-4b39-8a61-21dabb39fc84

📥 Commits

Reviewing files that changed from the base of the PR and between a3bcb14 and 8a0092c.

📒 Files selected for processing (1)
  • .github/workflows/backport.yaml

📝 Walkthrough

Walkthrough

The backport workflow's actions/checkout step is updated to check out the pull request's merge_commit_sha instead of head.sha, changing which commit is used as the base when creating backport PRs after a merge.

Changes

Backport Workflow Ref Fix

Layer / File(s) Summary
Checkout ref updated to merge_commit_sha
.github/workflows/backport.yaml
The ref input for actions/checkout is changed from ${{ github.event.pull_request.head.sha }} to ${{ github.event.pull_request.merge_commit_sha }}, so the backport job operates on the merged commit rather than the PR branch tip.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • jumpstarter-dev/jumpstarter#412: Introduced the backport workflow that checks out the pull request commit and runs the backport action — the same .github/workflows/backport.yaml file being modified here.

Suggested reviewers

  • bennyz

Poem

🐇 Hippity hop, the SHA has changed,
From head to merge, the commits rearranged!
No more the branch tip, the merge commit's the one,
Backports now land where the merging was done.
A one-line fix, but oh what a treat! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: using merge_commit_sha instead of head.sha in the backport workflow to support fork PRs.
Description check ✅ Passed The description clearly explains the security issue with pull_request_target, why the change is needed, and how it solves the problem.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@raballew raballew enabled auto-merge (squash) June 23, 2026 10:26
@mangelajo mangelajo added this to the 0.9.0 milestone Jun 23, 2026
@raballew raballew merged commit 51971c2 into jumpstarter-dev:main Jun 23, 2026
39 of 44 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants