create-pull-request safe output fails with "No changes to commit" when workspace is a cross-repo checkout

[tore-unumed]

Description

When using the SideRepoOps pattern with a cross-repo checkout as the workspace root (i.e., checking out org/target-repo in a workflow that lives in org/side-repo), create-pull-request with target-repo always fails with:

No changes to commit - no commits found

This happens even when the agent has successfully edited files, run tests, and committed to a local branch in the workspace.

Root Causes

generate_git_patch.cjs has two patch strategies. Both fail in the cross-repo checkout case:

Strategy 1 (branch-based): When the agent passes a branch name:

1. git show-ref --verify refs/heads/<branch> — succeeds (agent created the branch)
2. git show-ref --verify refs/remotes/origin/<branch> — fails (branch has not been pushed)
3. Falls back to git fetch origin <DEFAULT_BRANCH> — fails silently because persist-credentials: false (required by strict mode since v0.47.2) removes the credential helper, and the target repo is private
4. Exception propagates to outer catch, Strategy 1 is silently skipped

Strategy 2 (GITHUB_SHA fallback):

1. GITHUB_SHA is set by the runner to the commit SHA of the workflow repo (the side repo), not the target repo that is checked out
2. That SHA does not exist in the target repo git history
3. git merge-base --is-ancestor <wrong-SHA> HEAD throws, Strategy 2 is silently skipped

Additionally, DEFAULT_BRANCH is set via ${{ github.event.repository.default_branch }} which resolves to the workflow repo default branch, not the target repo.

Reproduction

Minimal workflow in org/side-repo:

---
on: workflow_dispatch

engine: copilot

steps:
  - name: Checkout target repo
    uses: actions/checkout@v6
    with:
      repository: org/target-repo
      token: ${{ secrets.TARGET_PAT }}
      persist-credentials: false
      fetch-depth: 0

safe-outputs:
  github-token: ${{ secrets.TARGET_PAT }}
  create-pull-request:
    target-repo: "org/target-repo"
    base-branch: main
  add-comment:
    max: 1
    target: "*"
    target-repo: "org/main-repo
---

Edit files in the workspace, commit to a new branch, then call create_pull_request.

The agent will successfully edit/commit, but create_pull_request returns "No changes to commit - no commits found" every time.

Evidence

Tested across 3 workflow runs. In all cases:

• Agent successfully edited files, ran tests (14 passed), committed to a local branch
• git log confirmed the commit existed in the workspace
• server.log showed 5 consecutive create_pull_request attempts, all returning "Patch generation failed: No changes to commit - no commits found" in ~200ms each
• add_comment succeeded in the same run (confirming safe outputs infrastructure works)
• Agent-generated git format-patch produced a valid 5-file, 75-line patch (saved as artifact)

Documentation gap

The SideRepoOps pattern shows create-pull-request with target-repo but none of the examples include a checkout step or file editing. This implies cross-repo PRs work out of the box, when in practice they require the target repo to be checked out at the workspace root — and even then, patch generation fails due to the credential/SHA issues described above.

Environment

• gh-aw CLI: v0.47.3
• AWF sandbox: v0.20.2 (chroot mode)
• Engine: copilot (gpt-5.3-codex, v0.0.412)
• MCP Gateway: gh-aw-mcpg v0.1.4
• Private repos, fine-grained PAT

[dsyme]

Fixed in #18175 (we hope, testing is hard for theis area)