fix(ci): clone PR head branch, not the unbuildable merge-ref

All 17 checkout blocks cloned via --branch GITHUB_REF_NAME; on pull_request that is a merge ref git clone --branch cannot resolve, so every checkout-based gate (detect-changes, guardrail-integrity, secret-scan, sbom-scan, dep-audit, build-sha-integrity, validate-canonical-controls) failed before running. Now clone GITHUB_HEAD_REF with GITHUB_REF_NAME fallback: PR uses its source branch, push keeps prior behaviour. Additive. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-21 14:16:29 +02:00
parent 24bb449a79
commit 079bb56922
1 changed files with 17 additions and 17 deletions
@@ -43,7 +43,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git bash
-          git clone --depth 200 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 200 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
          if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
            git fetch --depth 200 origin "${GITHUB_BASE_REF}" || true
          else
@@ -87,7 +87,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git bash
-          git clone --depth 20 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 20 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
          git fetch origin ${GITHUB_BASE_REF}:base
      - name: Require [guardrail-change] in commits touching guardrails
        run: |
@@ -108,7 +108,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git bash
-          git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 50 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Enforce 500-line hard cap
        run: |
          chmod +x scripts/check-loc.sh
@@ -123,7 +123,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git
-          git clone --depth 50 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 50 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Scan for secrets
        run: |
          gitleaks detect --source . --no-git \
@@ -141,7 +141,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Lint ai-compliance-sdk
        run: |
          [ -d "ai-compliance-sdk" ] || exit 0
@@ -162,7 +162,7 @@ jobs:
    steps:
      - name: Checkout
        run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Lint (ruff) + type-check (mypy)
        run: |
          pip install --quiet ruff mypy
@@ -193,7 +193,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Lint + type-check
        run: |
          fail=0
@@ -215,7 +215,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Build Next.js services
        run: |
          fail=0
@@ -239,7 +239,7 @@ jobs:
    steps:
      - name: Checkout
        run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Install Node.js + Go
        run: |
          curl -fsSL https://deb.nodesource.com/setup_20.x | bash - > /dev/null 2>&1
@@ -282,7 +282,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git curl bash
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Install syft + grype
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh  | sh -s -- -b /usr/local/bin
@@ -304,7 +304,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test ai-compliance-sdk
        run: |
          [ -d "ai-compliance-sdk" ] || exit 0
@@ -324,7 +324,7 @@ jobs:
    steps:
      - name: Checkout
        run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: GT-Bremse measure-coverage report
        run: |
          python3 scripts/gt_measure_gap_analysis.py --json /tmp/gt_gap_report.json > /tmp/gt_gap_report.md
@@ -355,7 +355,7 @@ jobs:
    steps:
      - name: Checkout
        run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test backend-compliance
        run: |
          [ -d "backend-compliance" ] || exit 0
@@ -375,7 +375,7 @@ jobs:
    steps:
      - name: Checkout
        run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test document-crawler
        run: |
          [ -d "document-crawler" ] || exit 0
@@ -395,7 +395,7 @@ jobs:
    steps:
      - name: Checkout
        run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test dsms-gateway
        run: |
          [ -d "dsms-gateway" ] || exit 0
@@ -417,7 +417,7 @@ jobs:
      - name: Checkout
        run: |
          apk add --no-cache git python3 py3-yaml
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Validate every Dockerfile + compose block declares BUILD_SHA
        run: |
          python3 - <<'PY'
@@ -456,6 +456,6 @@ jobs:
    steps:
      - name: Checkout
        run: |
-          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Validate controls
        run: python scripts/validate-controls.py