Context
Issue #24949 reports that when a reusable workflow is invoked via workflow_call from a different org (same enterprise), resolve_host_repo.cjs incorrectly resolves to the caller repository instead of the callee (platform) repository.
Root Cause
actions/setup/js/resolve_host_repo.cjs (line 38) uses GITHUB_WORKFLOW_REF to determine the host repo. However, per GitHub Actions documentation, github.workflow_ref (and the GITHUB_WORKFLOW_REF env var) resolves to the top-level caller's workflow ref in workflow_call contexts — not the reusable workflow being executed.
The comment on line 14 incorrectly states:
"GITHUB_WORKFLOW_REF always reflects the currently executing workflow file"
This is only true for non-workflow_call scenarios.
Required Fix
In actions/setup/js/resolve_host_repo.cjs:
- After extracting
workflowRepo from GITHUB_WORKFLOW_REF, check whether it matches GITHUB_REPOSITORY (i.e., both are the caller's repo — cross-org workflow_call scenario)
- If they match but this is a
workflow_call invocation (detectable via GITHUB_EVENT_NAME === 'workflow_call' or by the run context), fall back to the same referenced_workflows API lookup that check_workflow_timestamp_api.cjs uses (lines 118–157 in that file):
- Call
GET /repos/{GITHUB_REPOSITORY}/actions/runs/{GITHUB_RUN_ID}
- Inspect
referenced_workflows[] entries to find the one matching the lock file name
- Extract the correct callee
repository and ref from that entry
- Set
target_repo, target_repo_name, and target_ref outputs from the resolved callee values
Files to Modify
actions/setup/js/resolve_host_repo.cjs — main fixactions/setup/js/resolve_host_repo.cjs test file (if it exists) — add cross-org workflow_call test case
Reference
actions/setup/js/check_workflow_timestamp_api.cjs lines 118–157 — existing referenced_workflows lookup to reuse- The
target_repo_name output was already designed for actions/create-github-app-token (comment on lines 76–77), confirming cross-org was anticipated
Acceptance Criteria
Generated by Plan Command for issue #24949 · ● 509.4K · ◷
Context
Issue #24949 reports that when a reusable workflow is invoked via
workflow_callfrom a different org (same enterprise),resolve_host_repo.cjsincorrectly resolves to the caller repository instead of the callee (platform) repository.Root Cause
actions/setup/js/resolve_host_repo.cjs(line 38) usesGITHUB_WORKFLOW_REFto determine the host repo. However, per GitHub Actions documentation,github.workflow_ref(and theGITHUB_WORKFLOW_REFenv var) resolves to the top-level caller's workflow ref inworkflow_callcontexts — not the reusable workflow being executed.The comment on line 14 incorrectly states:
This is only true for non-
workflow_callscenarios.Required Fix
In
actions/setup/js/resolve_host_repo.cjs:workflowRepofromGITHUB_WORKFLOW_REF, check whether it matchesGITHUB_REPOSITORY(i.e., both are the caller's repo — cross-orgworkflow_callscenario)workflow_callinvocation (detectable viaGITHUB_EVENT_NAME === 'workflow_call'or by the run context), fall back to the samereferenced_workflowsAPI lookup thatcheck_workflow_timestamp_api.cjsuses (lines 118–157 in that file):GET /repos/{GITHUB_REPOSITORY}/actions/runs/{GITHUB_RUN_ID}referenced_workflows[]entries to find the one matching the lock file namerepositoryandreffrom that entrytarget_repo,target_repo_name, andtarget_refoutputs from the resolved callee valuesFiles to Modify
actions/setup/js/resolve_host_repo.cjs— main fixactions/setup/js/resolve_host_repo.cjstest file (if it exists) — add cross-orgworkflow_calltest caseReference
actions/setup/js/check_workflow_timestamp_api.cjslines 118–157 — existingreferenced_workflowslookup to reusetarget_repo_nameoutput was already designed foractions/create-github-app-token(comment on lines 76–77), confirming cross-org was anticipatedAcceptance Criteria
GITHUB_WORKFLOW_REFpoints to the caller repo (cross-orgworkflow_call), the script queries thereferenced_workflowsAPI and resolves the correct callee repo/refGITHUB_WORKFLOW_REFworkflow_callscenarioRelated to Cross-org workflow_call: resolve_host_repo, checkout, and hash check all fail #24949