GitHub will tell you that doing this is incredibly dangerous. And they’re right.
If you’re going to do something like this, I’d encourage you to create a fork (or clone) of your repository and instead of running deployments in your main repository, trigger deployments in your fork. (The fork doesn’t even need to be in the fork network for your main repository.)
If I was doing that, I’d create an ssh deploy key for my fork, put the private key into my main repository’s secrets and then I’d do something like:
git checkout -b deploy-$PR_NUMBER
echo "$MY_DEPLOY_KEY" > ~/.ssh/id_rsa
chmod 0400 ~/.ssh/id_rsa
git remote add fork email@example.com:fork-org/myrepo.git
git push fork deploy-$PR_NUMBER
And then sprinkle whatever magic is necessary for the fork to respond to the push to trigger the deploy.
The error message is technically correct.
ref/pull/.../merge is not a branch or tag in your repository, you said so yourself.
By creating a branch
deploy-$PR_NUMBER, and then pushing it into
fork, the above snippet would establish a branch that is present in
fork and thus satisfy the requirement. And by not putting it into a repository that people clone/fork/do things w/, you reduce the attack surface a smidgen (it’s still as dangerous as deploying untrusted code on a deployment can be, because it’s exactly that, but that’s beyond the scope here).
In response to pushes to your default branch in your main repository, you can push your default branch forward in your fork if you like, that would enable them to be a bit synchronized…
But be sure that your workflows explicitly check the org+repo name and only run if they’re operating on the right repository – see docs/open-enterprise-issue.yml at f5386da34890d88fa83c6b007316d76a0b862694 · github/docs · GitHub / docs/confirm-internal-staff-work-in-docs.yml at f5386da34890d88fa83c6b007316d76a0b862694 · github/docs · GitHub for example.
You don’t want this code to run on forks that other users make of your repository – it’s really frustrating when workflows run in forks when they’re really only designed to run in a specific repository.