Allow checkout of a different repository and ref in plan/apply#23
Merged
Conversation
The base workflow checks out the repository that initiated the run.
This works for Kosli, where each repository calls the workflow for its
own Terraform code, but breaks for orchestrators such as the CyberDojo
production deployment system, where a single repository iterates over
several repositories and runs apply.yml for each.
Add an optional github_repository_to_checkout input to the base, plan
and apply workflows, defaulting to ${{ github.repository }} so existing
callers are unaffected. Callers can now point the checkout at a specific
repository.
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
The reset-drift-detection job's checkout previously always used the repository that initiated the run. The Kosli attest steps in this job read the local git repository for commit metadata, so for an orchestrator such as the CyberDojo production deployment system the attestations would have referenced the orchestrator's commit rather than the target repository's. Make this checkout honour github_repository_to_checkout, matching the checkout in base.yml, so the attestations reference the repository that was actually applied. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
The base workflow already accepts a ref input to check out a specific git reference, but the plan and apply workflows neither exposed nor forwarded it, so callers had no way to reach it. Add a ref input to both workflows and pass it through to base.yml. Also apply it to the reset-drift-detection checkout so its Kosli attestations reference the same git reference that was applied. This lets an orchestrator such as the CyberDojo production deployment system pin a deployment to a specific git tag or SHA. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The base workflow checks out the repository that initiated the run, which works for Kosli (each repository calls the workflow for its own Terraform code) but breaks for orchestrators such as the CyberDojo production deployment system, where a single repository iterates over several repositories and runs
apply.ymlfor each.This PR adds two optional inputs, threaded through
plan.ymlandapply.ymlintobase.yml:github_repository_to_checkout— the repository (owner/name) to check out. Defaults to${{ github.repository }}, so existing callers are unaffected. Thereset-drift-detectioncheckout inapply.ymlhonours it too, so Kosli attestations reference the repository that was actually applied.ref— the git reference (branch, tag or SHA) to check out.base.ymlalready accepted this, butplan.yml/apply.ymlneither exposed nor forwarded it. Defaults to""(the default branch).Together these let an orchestrator point a plan/apply at a specific repository pinned to a specific git tag or SHA.
Notes
GITHUB_TOKENcan check them out — no extra token input needed.🤖 Generated with Claude Code