checkout: false aborts with 'not a git repository' on PR triggers; pull_request_target also racey with microsoft/apm-action

[danielmeppiel]

Summary

Two gh-aw v0.71.5 issues hit during real-world wiring of a pull_request_target review-panel workflow at hackathon-white-pig-8/zava-storefront. Both blocked the run before the agent started; both have local workarounds. Filing for upstream visibility.

Repro context

• gh-aw v0.71.5
• Engine: copilot (claude-sonnet-4.6)
• Workflow uses microsoft/apm-action@v1.6.0 to install APM bundles
• Workflow source: pr-review-panel.md

Issue 1 — checkout: false is incompatible with PR-context triggers

When checkout: false is set under any PR trigger (pull_request or pull_request_target), the compiler still emits a Checkout PR branch step in the agent job. That step runs checkout_pr_branch.cjs via actions/github-script, which executes git fetch / git rev-parse against the runner's working directory — but with checkout: false, no actions/checkout ran, so there is no .git and the helper aborts:

fatal: not a git repository (or any of the parent directories): .git
##[error]Event type: pull_request
##[error]PR number: 3
##[error]Error message: The process '/usr/bin/git' failed with exit code 128
##[error]Attempted to check out: test/panel-smoke
##[error]ERR_API: Failed to checkout PR branch: The process '/usr/bin/git' failed with exit code 128

Failing run (pull_request): https://github.com/hackathon-white-pig-8/zava-storefront/actions/runs/25479961077

Workaround: remove checkout: false. After removal the next run was fully green: https://github.com/hackathon-white-pig-8/zava-storefront/actions/runs/25480109686.

Suggested fix: when checkout: false is in frontmatter and the trigger is PR-context, either (a) skip the Checkout PR branch helper step entirely in the compiled lock yml, or (b) emit a fast-fail at compile time so users learn this isn't a supported combination before they ship.

Issue 2 — pull_request_target × microsoft/apm-action wipes .git before the helper runs

Independent of Issue 1: with pull_request_target and checkout: true (default), the lock yml correctly emits an actions/checkout (sparse) step early in the agent job, which DOES create .git. But by the time the Checkout PR branch helper runs (after the microsoft/apm-action@v1.6.0 step that installs bundles), .git is gone and the same fatal: not a git repository error fires.

Failing run (pull_request_target): https://github.com/hackathon-white-pig-8/zava-storefront/actions/runs/25479764768

I have not yet root-caused which step wipes .git — it's somewhere between the sparse-checkout step (lock line ~152) and the Checkout PR branch helper (lock line ~434). Strong suspicion is microsoft/apm-action (line ~430) altering the workspace, but it could be one of the intervening agent-config save/restore steps.

Workaround: switch the workflow trigger from pull_request_target to pull_request. This loses fork-safety but is acceptable in a workshop / same-org context where label application requires repo write.

Suggested investigation: repro inside gh aw test fixtures with microsoft/apm-action enabled, isolate the step that wipes .git, and either preserve the workspace or have the helper re-actions/checkout lazily before its git operations.

Why both matter together

Anyone vendoring a pull_request_target review-panel workflow alongside microsoft/apm-action (the canonical pattern for fork-safe agentic CI) currently can't ship: Issue 2 forces them off _target, and if they try checkout: false as a defensive measure on the way to pull_request, Issue 1 catches them. The combination meant ~3 hours of debugging across 4 failed runs before we got to green.

Reference

• Local fix PRs: #4 (trigger swap), #5 (remove checkout: false)
• Smoke green: run 25480109686, advisory comment posted on PR #3

Happy to bring more repro detail or test against a fix candidate.

[danielmeppiel]

Update — RCA done locally against gh-aw@6c1b6bd69 and microsoft/apm-action@v1.6.0. The two failing runs are the same bug, not two. Issue 2 retracted; microsoft/apm-action is innocent. Sharper Issue 1 + a patch + a branch ready to cherry-pick below.

(Apologies for the original "two bugs" framing — I jumped to a pull_request_target × supply-chain hypothesis before finishing the RCA.)

---

Single root cause

pkg/workflow/compiler_yaml_main_job.go has two places that emit git-dependent steps:

1. Line ~228 — generateGitConfigurationSteps is correctly gated on needsGitConfig := needsCheckout || customStepsContainCheckout. The original author noted the precondition explicitly: without .git, git remote set-url origin would crash.
2. Line ~241 (this bug) — c.generatePRReadyForReviewCheckout(yaml, data) is called unconditionally. The "Checkout PR branch" helper it emits (actions/setup/js/checkout_pr_branch.cjs) shells out to git fetch origin (line 153) and gh pr checkout (line 180) — both require a .git directory. With checkout: false and no custom checkout step, the workspace is bare and the helper fails the entire agent job with fatal: not a git repository before the agent ever runs.

Setting checkout: false correctly suppresses gate (1) via shouldAddCheckoutStep in compiler_jobs.go:759 (which honors CheckoutDisabled), but gate (2) was missed.

Proof that Issue 2 is the same bug, not a separate pull_request_target × apm-action interaction

Both failing runs in our smoke test had checkout: false in their workflow source at the head SHA:

• Run 25479764768 (pull_request_target variant) — workflow source line 80: checkout: false
• Run 25479961077 (pull_request variant) — workflow source line 70: checkout: false

Step-by-step inspection of run 25479764768's agent job logs:

• Step 11 (apm-action@v1.6.0 restoring APM) ran with working-directory: . and successfully unpacked 31 files into /home/runner/work/zava-storefront/zava-storefront. No .git to wipe — .git was never created by any prior step. No actions/checkout appears anywhere in the job's step list.
• Step 12 (Checkout PR branch) immediately failed with fatal: not a git repository (or any of the parent directories): .git.

The sister apm-prep job's apm-action invocation runs in /tmp/gh-aw/apm-workspace — entirely outside the repo workspace — so it cannot affect the agent job's working directory either way.

I also re-read microsoft/apm-action@v1.6.0 end-to-end: src/runner.ts and the install/restore paths never touch .git. (For what it's worth, v1.4.2 was released specifically to keep apm-action from dirtying the workspace.)

Patch (cherry-pick ready)

I have a branch with the fix + two regression tests at:
👉 https://github.com/danielmeppiel/gh-aw/tree/fix/pr-checkout-honor-checkout-disabled

(Couldn't open a PR — github/gh-aw blocks fork-based PRs from non-org members. Happy to do whatever wires this into your contribution flow — file under your name, get added as a contributor, etc.)

The change is two files, +51/-2:

pkg/workflow/compiler_yaml_main_job.go — gate the helper on the same precondition the git-config step already uses:

// Add step to checkout PR branch if the event is pull_request.
// The PR-checkout helper runs `git fetch` / `gh pr checkout` against the workspace
// and therefore requires a .git directory, which is only present when the repo was
// checked out. Skip it when checkout is disabled and no custom steps perform a
// checkout — otherwise the helper aborts with "fatal: not a git repository" and
// the entire agent job fails before the agent ever runs.
if needsGitConfig {
    c.generatePRReadyForReviewCheckout(yaml, data)
} else {
    compilerYamlLog.Print("Skipping PR-checkout helper: checkout disabled and custom steps do not check out (helper requires .git in workspace)")
}

This preserves the existing escape hatch: if the user opted out of actions/checkout but supplied a custom step that does its own checkout, customStepsContainCheckout is true and the helper still emits.

pkg/workflow/pr_ready_for_review_checkout_test.go — added two regression cases to TestPRCheckout:

• pull_request + checkout: false ⇒ helper MUST NOT emit
• pull_request_target + checkout: false ⇒ helper MUST NOT emit

Both fail before the patch and pass after. Full integration suite green locally:

$ go test -tags=integration ./pkg/workflow/ -count=1
ok  github.com/github/gh-aw/pkg/workflow  57.770s

Workaround (until fix lands)

Either:

• remove checkout: false from PR-context workflows, or
• add a custom step in steps: that performs a checkout (will set customStepsContainCheckout=true once the fix lands; today, even without the fix, this also works because the helper at least has a .git to operate on).

Optional polish (orthogonal to the fix)

actions/setup/js/checkout_pr_branch.cjs could detect fatal: not a git repository in its catch path and emit a hint pointing at checkout: false — would have saved me ~3 hours.