fix(ci): pin target commit SHA in Gemini Bot workflow

2026-05-17 15:23:08 -07:00 · 2026-05-15 11:55:42 -07:00
parent 289e061d54
commit 9be8a0e9e5
1 changed files with 7 additions and 1 deletions
@@ -61,6 +61,7 @@ jobs:
      pull-requests: 'read'
    outputs:
      sha: ${{ steps.get_sha.outputs.sha }}
+      target_sha: ${{ steps.get_target_sha.outputs.sha }}
    env:
      GEMINI_CLI_TRUST_WORKSPACE: 'true'
    steps:
@@ -100,6 +101,11 @@ jobs:
          fetch-depth: 0
          persist-credentials: false

+      - name: 'Get Target SHA'
+        id: 'get_target_sha'
+        working-directory: repo-target
+        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
      - name: 'Download Previous State'
        env:
          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
@@ -316,7 +322,7 @@ jobs:
      - name: 'Checkout'
        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
        with:
-          ref: 'main'
+          ref: '${{ needs.reasoning.outputs.target_sha }}'
          fetch-depth: 0
          persist-credentials: false