Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Improves reliability and security of the “create/push to PR” workflow outputs by hard-blocking fork PR pushes, making patch generation more robust for cross-repo checkouts, and tightening the “extra empty commit” CI-trigger behavior.
Changes:
- Add fork-PR detection/export and enforce early rejection for push-to-PR-branch flows.
- Enhance patch generation/application for cross-repo scenarios (incremental patch mode,
git am --3way, additional fallback strategy). - Restrict the CI-trigger empty commit to cases with exactly 1 new commit, and fix
process.envrestoration patterns in tests.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/src/content/docs/reference/safe-outputs.md | Documents fork PR limitation for push-to-pull-request-branch. |
| actions/setup/js/workflow_metadata_helpers.test.cjs | Restores process.env via in-place mutation to avoid breaking Node env semantics. |
| actions/setup/js/safe_outputs_mcp_server_defaults.test.cjs | Updates env cleanup to mutate process.env in place. |
| actions/setup/js/safe_outputs_mcp_large_content.test.cjs | Updates env cleanup to mutate process.env in place. |
| actions/setup/js/safe_outputs_handlers.test.cjs | Adds fork PR rejection tests and updates expected patch-generation error text; removes // @ts-check. |
| actions/setup/js/safe_outputs_handlers.cjs | Rejects fork PRs early (via GH_AW_IS_FORK_PR) and switches to incremental patch generation for PR-branch pushes. |
| actions/setup/js/safe_outputs_branch_detection.test.cjs | Updates env cleanup to mutate process.env in place. |
| actions/setup/js/push_to_pull_request_branch.test.cjs | Adds extensive unit test coverage for push-to-PR-branch scenarios (context variations, forks, errors, CI trigger behavior). |
| actions/setup/js/push_to_pull_request_branch.cjs | Adds cross-repo repo resolution + fork detection; uses git am --3way; counts new commits to gate CI-trigger empty commit. |
| actions/setup/js/interpolate_prompt.test.cjs | Updates env cleanup to mutate process.env in place. |
| actions/setup/js/handle_noop_message.test.cjs | Updates env cleanup to mutate process.env in place. |
| actions/setup/js/git_patch_integration.test.cjs | Adds integration-style tests that execute real git commands for patch generation/application scenarios. |
| actions/setup/js/generate_git_patch.test.cjs | Adds tests for cross-repo checkout behavior and incremental mode; adds sanitization/path tests. |
| actions/setup/js/generate_git_patch.cjs | Adds patch generation modes (full vs incremental), improves cross-repo resilience, and adds a remote-ref based fallback strategy. |
| actions/setup/js/extra_empty_commit.test.cjs | Adds tests validating newCommitCount gating behavior. |
| actions/setup/js/extra_empty_commit.cjs | Gates extra empty commit on newCommitCount === 1 to reduce CI-trigger risk/loops. |
| actions/setup/js/create_pull_request.cjs | Applies patches with git am --3way and gates CI-trigger empty commit using computed commit count. |
| actions/setup/js/create_issue.test.cjs | Updates env cleanup to mutate process.env in place; removes // @ts-check. |
| actions/setup/js/create_discussion_labels.test.cjs | Updates env cleanup to mutate process.env in place. |
| actions/setup/js/create_discussion_fallback.test.cjs | Updates env cleanup to mutate process.env in place. |
| actions/setup/js/create_discussion_category_normalization.test.cjs | Updates env cleanup to mutate process.env in place. |
| actions/setup/js/checkout_pr_branch.test.cjs | Adds assertions for exporting GH_AW_IS_FORK_PR and updates mocks accordingly. |
| actions/setup/js/checkout_pr_branch.cjs | Exports GH_AW_IS_FORK_PR during PR checkout for downstream fork-safe behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced Feb 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GH_AW_IS_FORK_PRenv var during PR checkout and reject fork PRs early inpush_to_pull_request_branchto prevent unauthorized pushes to fork repositoriesgit amto--3waymode, add incremental patch generation mode, and add a cross-repo fallback strategy (Strategy 3) for scenarios whereGITHUB_SHAor remote refs are unavailable (e.g.persist-credentials: false)process.envrestoration in tests to mutate in place rather than replacing the object reference