Refine GitHub Actions workflow to improve reference commit logic for pull requests. Updated condition to handle merged pull requests more effectively.

[jmcouffin]

No description provided.

[devloai]

PR Summary:

• Updates the ref used by actions/checkout in the CI workflow to better handle pull_request events.
• For open/reopened PRs: now uses head.sha (the PR branch tip) instead of merge_commit_sha (which can be null when there are merge conflicts).
• For closed+merged PRs: continues to use merge_commit_sha for the actual merge commit.

Review Summary:

The fix addresses a real bug — the old expression used merge_commit_sha for all pull_request events (including opened/reopened), which is a GitHub-generated test merge commit that can be null when conflicts exist, causing checkout failures. The new logic correctly branches on merged status.

The main concern is that the deeply nested &&/|| ternary expression carries a silent fallback risk inherent to GitHub Actions' expression evaluation: if merge_commit_sha were ever falsy on a merged PR, the expression silently falls back to head.sha, potentially causing a release build to package the wrong content. A step-based ref resolution approach is safer and considerably more readable.

Suggestions

• Replace the nested && || ternary on the ref: field with a dedicated Resolve checkout ref bash step for safer, more readable ref selection. Apply
• Add a Report Context echo for github.event.pull_request.merge_commit_sha and github.event.pull_request.head.sha to help debug future checkout issues. Apply

[devloai]

Potential silent fallback when merge_commit_sha is null during open PRs with conflicts

For opened/reopened events, github.event.pull_request.merged is false, so the inner expression correctly falls through to head.sha. That part is a genuine improvement over the old code. 👍

However, the overall expression relies on GitHub Actions' JavaScript-like &&/|| short-circuit to emulate a ternary — which means if merge_commit_sha is ever falsy (e.g. null in a conflicting-but-somehow-merged state) the fallback to head.sha would silently trigger on a closed+merged event, checking out the PR branch tip instead of the actual merge commit. This could cause a release build to package the wrong content.

A safer and far more readable approach using an explicit step output (insert before the Checkout step):

      - name: Resolve checkout ref
        id: resolve_ref
        shell: bash
        run: |
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            if [ "${{ github.event.pull_request.merged }}" == "true" ]; then
              echo "ref=${{ github.event.pull_request.merge_commit_sha }}" >> $GITHUB_OUTPUT
            else
              echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
            fi
          else
            echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
          fi

      - name: Checkout Repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          submodules: recursive
          ref: ${{ steps.resolve_ref.outputs.ref }}

This makes the intent explicit, avoids the &&/|| ternary trap, and is much easier to maintain.

⚡ Apply quick fix

actions

Quick Fix: Apply a small focused fix for this specific issue (takes < 1min).

Feedback: Rate this comment to help me improve future code reviews:

• 👍 Good - Helpful and accurate
• 👎 Poor - Wrong, unclear, or unhelpful
• Skip if you don't have any strong opinions either way.

[github-actions]

📦 New public release are available for 6.3.0.26091+2238