fix(crafter): use actual PR head commit instead of merge commit in GitHub Actions

[waveywaves]

Summary

Fixes #3064.

GitHub Actions creates a temporary merge commit for pull_request events, so .git/HEAD points to that synthetic commit. This causes attestation init to record a ghost commit SHA in git.head that doesn't exist on any branch — breaking the referral graph when cross-referencing with local or agentic attestations.

Root cause

gracefulGitRepoHead() reads repo.Head() directly via go-git, which in a GH Actions PR checkout returns the merge commit. The CI runner already captures GITHUB_EVENT_NAME and GITHUB_EVENT_PATH but these weren't used to correct the git HEAD.

Fix

After gracefulGitRepoHead() resolves HEAD, check if we're in a GitHub Actions pull_request or pull_request_target event. If so, read the actual PR head SHA from the event payload (pull_request.head.sha) and look up that commit in the local repo instead.

• New file: pkg/attestation/crafter/cioverride.go
  • resolveGitHubPRHeadSHA() — reads event JSON, extracts SHA
  • resolveCommitByHash() — opens repo, looks up commit by hash
• Modified: pkg/attestation/crafter/crafter.go — initialCraftingState now calls the override after gracefulGitRepoHead
• Falls back gracefully: if the override SHA can't be resolved (shallow clone, missing object), keeps the merge commit and logs a warning

Design choices

• Separate file (cioverride.go) keeps CI-specific logic out of the general-purpose crafter.go
• Reads env vars directly rather than going through the runner interface — GITHUB_EVENT_NAME and GITHUB_EVENT_PATH only exist in GitHub Actions, so a runner-type check would be redundant
• Re-opens the repo instead of threading the repo handle from gracefulGitRepoHead — the perf cost is negligible for a one-time att init operation, and it keeps the function signatures simple

Future extensibility

The same pattern can be extended for GitLab MR pipelines (CI_MERGE_REQUEST_SOURCE_BRANCH_SHA) by adding another resolver in cioverride.go.

Test plan

• go build ./pkg/attestation/crafter/... passes
• 6 table-driven subtests for resolveGitHubPRHeadSHA: PR event, PR target event, push event, no event, malformed JSON, missing head SHA
• gofmt -l clean
• Commits GPG-signed and DCO signed-off

🤖 Generated with Claude Code

[cubic-dev-ai]

2 issues found across 3 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/attestation/crafter/cioverride.go">

<violation number="1" location="pkg/attestation/crafter/cioverride.go:85">
P2: New CI override duplicates HEAD commit assembly logic with different error handling than `gracefulGitRepoHead`, risking inconsistent attestation metadata across execution contexts.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[waveywaves]

@migmartri @jiparis Ready for review. Fixes the merge commit SHA bug in GitHub Actions PR workflows (#3064). The hash is always overridden from the event payload — works with default actions/checkout shallow clones (depth=1). Full commit metadata is resolved best-effort when the object is available locally. All commits GPG-signed.

[waveywaves]

@migmartri @jiparis ptal

[migmartri]

Thanks!

[migmartri]

@waveywaves please fix the commit signatures, thanks