fix(github): use provided target ref in GetFileInsideRepo

theakshaypant · zakisk · commit 47ee286fdd5e · 2026-04-27T16:25:48.000+05:30
GetFileInsideRepo ignored the caller-supplied target ref and
substituted runevent.BaseBranch. This caused OWNERS ACL checks
to read from the wrong branch when a PR targets a non-default
branch, and remote task fetches to resolve against the PR base
instead of the specified ref.

Signed-off-by: Akshay Pant &lt;akpant@redhat.com&gt;
diff --git a/pkg/provider/github/github.go b/pkg/provider/github/github.go
@@ -505,7 +505,7 @@ func (v *Provider) GetCommitInfo(ctx context.Context, runevent *info.Event) erro
 func (v *Provider) GetFileInsideRepo(ctx context.Context, runevent *info.Event, path, target string) (string, error) {
 	ref := runevent.SHA
 	if target != "" {
-		ref = runevent.BaseBranch
+		ref = target
 	} else if v.provenance == "default_branch" {
 		ref = runevent.DefaultBranch
 	}
diff --git a/pkg/provider/github/github_test.go b/pkg/provider/github/github_test.go
@@ -728,6 +728,79 @@ func TestGetFileInsideRepo(t *testing.T) {
 	}
 }
 
+func TestGetFileInsideRepoRefSelection(t *testing.T) {
+	fileContent := base64.StdEncoding.EncodeToString([]byte("valid owners file"))
+	tests := []struct {
+		name        string
+		event       *info.Event
+		target      string
+		provenance  string
+		expectedRef string
+	}{
+		{
+			name: "uses SHA when target is empty",
+			event: &info.Event{
+				Organization:  "org",
+				Repository:    "repo",
+				SHA:           "sha123",
+				BaseBranch:    "main",
+				DefaultBranch: "main",
+			},
+			target:      "",
+			expectedRef: "sha123",
+		},
+		{
+			name: "uses target ref when target is provided",
+			event: &info.Event{
+				Organization:  "org",
+				Repository:    "repo",
+				SHA:           "sha123",
+				BaseBranch:    "main",
+				DefaultBranch: "main",
+			},
+			target:      "refs/heads/release-1.0",
+			expectedRef: "refs/heads/release-1.0",
+		},
+		{
+			name: "uses DefaultBranch when target is empty and provenance is default_branch",
+			event: &info.Event{
+				Organization:  "org",
+				Repository:    "repo",
+				SHA:           "sha123",
+				BaseBranch:    "develop",
+				DefaultBranch: "main",
+			},
+			target:      "",
+			provenance:  "default_branch",
+			expectedRef: "main",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx, _ := rtesting.SetupFakeContext(t)
+			fakeclient, mux, _, teardown := ghtesthelper.SetupGH()
+			defer teardown()
+			gvcs := Provider{
+				ghClient:   fakeclient,
+				provenance: tt.provenance,
+			}
+
+			mux.HandleFunc("/repos/org/repo/contents/OWNERS", func(w http.ResponseWriter, r *http.Request) {
+				gotRef := r.URL.Query().Get("ref")
+				assert.Equal(t, gotRef, tt.expectedRef)
+				fmt.Fprintf(w, `{"name": "OWNERS", "path": "OWNERS", "sha": "ownersha"}`)
+			})
+			mux.HandleFunc("/repos/org/repo/git/blobs/ownersha", func(w http.ResponseWriter, _ *http.Request) {
+				fmt.Fprintf(w, `{"content": %q, "sha": "ownersha"}`, fileContent)
+			})
+
+			got, err := gvcs.GetFileInsideRepo(ctx, tt.event, "OWNERS", tt.target)
+			assert.NilError(t, err)
+			assert.Equal(t, got, "valid owners file")
+		})
+	}
+}
+
 func TestCheckSenderOrgMembership(t *testing.T) {
 	tests := []struct {
 		name      string

Original file line number	Diff line number	Diff line change
`@@ -505,7 +505,7 @@ func (v Provider) GetCommitInfo(ctx context.Context, runevent info.Event) erro`
`505`	`505`	`func (v Provider) GetFileInsideRepo(ctx context.Context, runevent info.Event, path, target string) (string, error) {`
`506`	`506`	`ref := runevent.SHA`
`507`	`507`	`if target != "" {`
`508`		`- ref = runevent.BaseBranch`
	`508`	`+ ref = target`
`509`	`509`	`} else if v.provenance == "default_branch" {`
`510`	`510`	`ref = runevent.DefaultBranch`
`511`	`511`	`}`