Fix workflow_run triggered builds by checking out latest commit with updated npm hash

[Copilot]

The automatic npm dependency hash update workflow was successfully updating hashes in docs/default.nix when dependabot created PRs, but the subsequent doc.yml and build.yml workflows triggered by workflow_run events were failing with hash mismatch errors.

Root Cause

The issue was that workflows triggered by workflow_run events were checking out the wrong commit. They used github.event.workflow_run.head_sha which points to the original dependabot commit before the hash was updated, not the latest commit on the branch after the hash update was committed.

This caused a mismatch where the workflows were trying to build with:

• New package.json and package-lock.json (from dependabot)
• Old npmDepsHash in docs/default.nix (from before the update)

Error Example

error: hash mismatch in fixed-output derivation '/nix/store/irv00xykvphxqhswkjrhmkbbmhf8jr3b-ghaf-docs-0.1.0-npm-deps.drv':
         specified: sha256-ckKaqnh2zAe34Hi+fpmf2NqoIB8KyEVMrvv3jdnkp4U=
            got:    sha256-46kWe3Kh+HSitGPqW+yCsmT2WSpRbDqydTBssL8sKGc=

Solution

Modified both doc.yml and build.yml workflows to use github.ref (which resolves to the latest commit on the branch) when triggered by workflow_run events, while preserving the existing logic for other event types.

Before:

ref: ${{ github.event.workflow_run.head_sha || github.ref }}

After:

ref: ${{ github.event_name == 'workflow_run' && github.ref || github.event.workflow_run.head_sha || github.ref }}

This ensures that when the "Update npmDepsHash" workflow completes and triggers other workflows via workflow_run, those workflows will check out the latest commit on the branch that contains the updated hash.

Verification

• Confirmed the issue exists in dependabot PR build(deps): bump astro from 5.9.2 to 5.13.5 in /docs #1352 where npm hash updates succeeded but triggered workflows failed
• Verified that both doc.yml (run ID 17453694487) and build.yml (run ID 17453694490) failed with hash mismatches when triggered by workflow_run
• The fix is ready for testing once merged to main

Fixes #1367.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/tiiuae/ghaf/actions/runs
  • Triggering command: curl -s -H Authorization: token REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.