fix: dispatch-workflow fails with "No ref found" when target-ref is a commit SHA#30426
Merged
Conversation
… SHA - In resolve_host_repo.cjs: parse branch/tag ref from JOB_WORKFLOW_REF (substring after '@') as 'target_ref' for workflow dispatch; emit 'target_checkout_ref' (JOB_WORKFLOW_SHA) for activation checkout pinning. Add warning when JOB_WORKFLOW_REF is malformed or missing. - In compiler_activation_job.go: use target_checkout_ref (SHA) for activation checkout step to preserve exact-revision pinning. - In compiler_activation_job_builder.go: expose both target_ref (dispatch-compatible branch/tag) and target_checkout_ref (SHA) as activation job outputs; update comments. - In checkout_manager.go: update comments to reflect new output names. - In compiler_safe_outputs_config.go: injection already uses target_ref, which now correctly carries the dispatch-compatible branch/tag ref. - Add resolve_host_repo.test.cjs with full coverage. - Add TestActivationJobTargetCheckoutRefOutput and TestActivationJobTargetRefIsDispatchCompatible Go tests. - Add TestDispatchWorkflowRelayInjectsDispatchCompatibleRef Go test. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7c961cd0-263e-4f48-955d-cf9b3677b028 Co-authored-by: pelikhan <[email protected]>
…kout_ref Agent-Logs-Url: https://github.com/github/gh-aw/sessions/7c961cd0-263e-4f48-955d-cf9b3677b028 Co-authored-by: pelikhan <[email protected]>
Copilot
AI
changed the title
[WIP] Fix dispatch-workflow receiving job.workflow_sha as target-ref
fix: dispatch-workflow fails with "No ref found" when target-ref is a commit SHA
May 5, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes workflow dispatch failures in workflow_call relay workflows by separating the activation job’s “checkout ref” (immutable SHA) from the “dispatch ref” (branch/tag), so createWorkflowDispatch never receives a commit SHA.
Changes:
- Split
resolve_host_repooutputs intotarget_checkout_ref(SHA) andtarget_ref(branch/tag parsed fromjob.workflow_ref), and update activation checkout to usetarget_checkout_ref. - Expose the new output from the activation job build context and update compiled lock workflows accordingly.
- Add JS + Go tests to verify output separation and that dispatch_workflow injection uses
needs.activation.outputs.target_ref.
Show a summary per file
| File | Description |
|---|---|
actions/setup/js/resolve_host_repo.cjs |
Introduces target_checkout_ref vs target_ref outputs and parsing logic for dispatch ref. |
actions/setup/js/resolve_host_repo.test.cjs |
Adds vitest coverage for ref parsing/output behavior. |
pkg/workflow/compiler_activation_job.go |
Updates activation .github checkout to use target_checkout_ref (SHA). |
pkg/workflow/compiler_activation_job_builder.go |
Exposes target_checkout_ref and documents intended semantics for both outputs. |
pkg/workflow/compiler_activation_job_test.go |
Adds Go regression tests validating output separation and checkout ref usage. |
pkg/workflow/compiler_safe_outputs_config_test.go |
Ensures dispatch_workflow injection uses needs.activation.outputs.target_ref and not the SHA output. |
pkg/workflow/checkout_manager.go |
Updates cross-repo checkout ref documentation to reflect the new output names. |
.github/workflows/smoke-workflow-call.lock.yml |
Recompiled lockfile to include target_checkout_ref output and use it for checkout ref:. |
.github/workflows/smoke-workflow-call-with-inputs.lock.yml |
Same as above for the “with inputs” smoke workflow lockfile. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 9/9 changed files
- Comments generated: 3
Comment on lines
+42
to
+50
| function parseDispatchRef(workflowRef) { | ||
| if (!workflowRef) { | ||
| return ""; | ||
| } | ||
| const atIndex = workflowRef.indexOf("@"); | ||
| if (atIndex === -1) { | ||
| return ""; | ||
| } | ||
| return workflowRef.slice(atIndex + 1); |
Comment on lines
+5
to
+31
| describe("parseDispatchRef", () => { | ||
| it("parses refs/heads/main from a standard workflow_ref", () => { | ||
| expect(parseDispatchRef("owner/repo/.github/workflows/file.yml@refs/heads/main")).toBe("refs/heads/main"); | ||
| }); | ||
|
|
||
| it("parses refs/tags/v1.2.3 from a tag-triggered workflow_ref", () => { | ||
| expect(parseDispatchRef("owner/repo/.github/workflows/file.yml@refs/tags/v1.2.3")).toBe("refs/tags/v1.2.3"); | ||
| }); | ||
|
|
||
| it("parses refs/heads/feature/my-branch from a nested branch name", () => { | ||
| expect(parseDispatchRef("org/repo/.github/workflows/ci.yml@refs/heads/feature/my-branch")).toBe("refs/heads/feature/my-branch"); | ||
| }); | ||
|
|
||
| it("returns empty string when JOB_WORKFLOW_REF is empty", () => { | ||
| expect(parseDispatchRef("")).toBe(""); | ||
| }); | ||
|
|
||
| it("returns empty string when JOB_WORKFLOW_REF has no '@' separator", () => { | ||
| expect(parseDispatchRef("owner/repo/.github/workflows/file.yml")).toBe(""); | ||
| }); | ||
|
|
||
| it("does not return a SHA-like value for a tag ref", () => { | ||
| const result = parseDispatchRef("owner/repo/.github/workflows/file.yml@refs/tags/v2.0.0"); | ||
| expect(result).toBe("refs/tags/v2.0.0"); | ||
| // Must not look like a SHA (40 hex chars) | ||
| expect(result).not.toMatch(/^[0-9a-f]{40}$/); | ||
| }); |
Comment on lines
152
to
154
| // In the activation job this is set to "${{ steps.resolve-host-repo.outputs.target_checkout_ref }}" | ||
| // (the immutable commit SHA for exact-revision pinning). | ||
| // In the agent and safe_outputs jobs it is set to "${{ needs.activation.outputs.target_ref }}". |
Collaborator
|
@copilot review comments |
- Use lastIndexOf('@') instead of indexOf to correctly handle the edge
case where the workflow path contains '@'
- Reject 40-hex SHA values returned by parseDispatchRef; workflow_call
can reference a workflow by SHA but createWorkflowDispatch cannot
accept a SHA as ref — return "" instead and let the warning fire
- Add tests: SHA ref → "" + warn, lastIndexOf '@' edge case
- Fix misleading checkout_manager.go comments: crossRepoTargetRef is
only set in the activation job; remove incorrect claim that downstream
jobs also set it
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/c019f917-d9b4-47b8-8f5f-7de17a437ec8
Co-authored-by: pelikhan <[email protected]>
Contributor
Author
Addressed all three review points in commit 9e32f7d:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
resolve_host_repo.cjswas emittingjob.workflow_sha(a commit SHA) astarget_ref. The compiler-injectedtarget-refindispatch_workflowsafe outputs forwarded this SHA tocreateWorkflowDispatch, which only accepts branch/tag refs — causingNo ref found for: <sha>failures inworkflow_callrelay workflows.Root cause
Two consumers need different ref formats:
actions/checkout→ wants an immutable SHA for exact-revision pinningcreateWorkflowDispatch→ rejects SHAs, requires a branch/tag refPreviously a single
target_refoutput served both, set to the SHA.Changes
resolve_host_repo.cjs: Split into two outputs:target_checkout_ref— SHA fromJOB_WORKFLOW_SHA(for checkout pinning, unchanged semantics)target_ref— branch/tag parsed fromJOB_WORKFLOW_REFusinglastIndexOf('@')(handles edge cases where@appears in the workflow path); SHA-like values (40-hex) are explicitly rejected and return""with a warning, sinceworkflow_callcan reference a workflow by SHA butcreateWorkflowDispatchcannotJOB_WORKFLOW_REFis malformed, missing, or resolves to a SHA (no silent SHA fallback)compiler_activation_job.go: Activation checkout now usestarget_checkout_ref(SHA)compiler_activation_job_builder.go: Bothtarget_refandtarget_checkout_refare exposed as activation job outputs;compiler_safe_outputs_config.goalready injectsneeds.activation.outputs.target_reffor dispatch — no change needed therecheckout_manager.go: Fixed misleading comments —crossRepoTargetRefis only set in the activation job; removed incorrect claim that downstream jobs also set itLock files recompiled to reflect the new output and updated checkout ref
Tests added
resolve_host_repo.test.cjs— 16 tests covering branch/tag parsing, SHA isolation, tag refs, malformed/missingJOB_WORKFLOW_REF, SHA refs returning""with a warning, andlastIndexOfcorrectness with@in the workflow pathTestActivationJobTargetCheckoutRefOutput,TestActivationJobTargetRefIsDispatchCompatible— Go tests verifying output separationTestDispatchWorkflowRelayInjectsDispatchCompatibleRef— verifies the safe-outputs config injectstarget_ref(branch/tag), nevertarget_checkout_ref(SHA)