Summary
codetests.yml runs on pull_request_target, but each job uses actions/checkout without an explicit PR ref/repository.
On fork-based PRs, this checks out upstream main instead of the PR head commit, so lint/test output can report unrelated failures from main.
Reproduction
- Open a PR from a fork.
- Trigger
test-and-lint (pull_request_target).
- In logs, observe checkout resolving to
origin/main (base branch), not the PR head SHA.
Observed in: #618
Expected
For pull_request_target, checkout should target the PR head repository + SHA so CI validates the actual PR changes.
Summary
codetests.ymlruns onpull_request_target, but each job usesactions/checkoutwithout an explicit PR ref/repository.On fork-based PRs, this checks out upstream
maininstead of the PR head commit, so lint/test output can report unrelated failures frommain.Reproduction
test-and-lint(pull_request_target).origin/main(base branch), not the PR head SHA.Observed in: #618
Expected
For
pull_request_target, checkout should target the PR head repository + SHA so CI validates the actual PR changes.