Switch the branch when using GitHub actions checkout

Hello,

I have some questions about GitHub actions checkout.

name: CI

# Controls when the action will run. 
on:
  # Triggers the workflow on push or pull request events but only for the master branch
  pull_request:
    branches: [ master ]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "deploy"
  deploy:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it

      - name: Checkout
        uses: actions/checkout@v2

      - name: Add content to README.md
        run: echo 'New update' >> README.md

There’re two branches in my repo, the default one is master and another is dev, when I pull a request from dev to master.

  • Which branch will be checkout here?

  • The following code works on which branch?

    - name: Add content to README.md
      run: echo 'New update' >> README.md
    
  • How can I checkout the specified version?

Thank you so much.

It’s covered in the docs:

Refer here to learn which commit $GITHUB_SHA points to for different events.

One of these two references should cover what you’re after:

2 Likes

Technically (at least for a dev branch diverged from master), neither, as your event is pull_request, so you get the /merge of the base and the request.

If you want to be on master for the pull request, you could use pull_request_target instead (it’s a very different event, but, it does give you the destination, i.e. master).

I see, thank you so much.

That is dangerous, because pull_request_target workflows run with additional privileges (see also: Keeping your GitHub Actions and workflows secure: Preventing pwn requests | GitHub Security Lab).

If all you want is to check out a specific branch, you can use the ref parameter to actions/checkout, as described in the documentation @kingthorin linked already:

- uses: actions/checkout@v2
  with:
    ref: my-branch

The example clearly indicated intent to perform an append to an existing file.

Sure, it’s dangerous. But it isn’t going to work if you use pull_request.

I did indicate that the event was very different. I expect that people read the docs when given advice to consider something new.

And the other answer was already given. Repeating it would not have been a good use of space.

True, assuming the file should be pushed back to the repository. Unless PR are only from within the repository.

Unfortunately in my experience that assumption is wrong more often than not. And either way I think a warning is appropriate when recommending something with potentially dangerous side-effects.

Fair enough. Will you agree we both made foolish assumptions here and leave this conversation alone?

1 Like