From be307b6b8fe5745095b2de8587bed94a46b06c5f Mon Sep 17 00:00:00 2001 From: Matt Sturgeon Date: Wed, 1 Jul 2026 14:13:10 +0100 Subject: [PATCH] ci/pr-merged: explicitly checkout base_ref This _should_ be the default, but actions/checkout is still complaining about checking out untrusted PR code. Technically, this workflow only runs on `merged` PRs, so the PR code _is_ trusted anyway. But currently there's no need to use the PR's code. --- .github/workflows/pr-merged.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml index 2d36fab4..d23bb555 100644 --- a/.github/workflows/pr-merged.yml +++ b/.github/workflows/pr-merged.yml @@ -77,6 +77,7 @@ jobs: id: checkout uses: actions/checkout@v7 with: + ref: ${{ github.base_ref }} sparse-checkout: | flake/dev/diff-plugins.py flake.lock