fix(ci): resolve fork PR number via head=user:branch lookup#315
Merged
Conversation
The fallback in validate-integration-comment.yml used
GET /repos/{owner}/{repo}/commits/{sha}/pulls to resolve fork PR
numbers when workflow_run.pull_requests was empty. That endpoint
does not index commits that live only in a fork — even though
GitHub stores fork PR heads as refs/pull/{n}/head in the upstream
repo, the commit-to-pulls lookup ignores those refs. As a result
the companion workflow failed on every fork PR with:
::error::Could not resolve PR number for head SHA <fork-sha>
Switch the fallback to GET /repos/{owner}/{repo}/pulls with
head=user:branch. Both inputs (head_repository.full_name and
head_branch) come from the workflow_run event payload, so the
security property the original Codex review was after is
preserved — neither value is influenceable by code that ran on
the original runner during validation. The (head fork user, head
branch) pair uniquely identifies an open PR in this repo (a fork
branch can have at most one open PR against a given upstream).
Verified manually: the new endpoint correctly resolves PR #293
from `lohitya:ls/hubspot-tasks`.
Closes #314
NinosMan
approved these changes
May 1, 2026
TheRealAgentK
added a commit
to lohitya/autohive-integrations
that referenced
this pull request
May 1, 2026
Empty commit to retrigger CI on PR Autohive-AI#293 so we can verify the fork-PR resolution fix from Autohive-AI#315 works end-to-end: Validate Integration Comment should now successfully resolve PR 293 via /pulls?head=lohitya:ls/hubspot-tasks (the previous /commits/{sha}/pulls endpoint was returning empty for fork SHAs) and post the sticky validation-results comment. No code changes.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2f44cfad59
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # in this repo. | ||
| HEAD_USER="${HEAD_REPO%%/*}" | ||
| PR=$(gh api "repos/$REPO/pulls?state=open&head=$HEAD_USER:$HEAD_BRANCH&per_page=10" \ | ||
| --jq ".[] | select(.head.repo.full_name == \"$HEAD_REPO\" and .head.ref == \"$HEAD_BRANCH\") | .number" \ |
There was a problem hiding this comment.
The --jq expression embeds HEAD_BRANCH directly inside a quoted jq string, but Git branch names can legally contain " (e.g. feature/foo"bar). In that case jq sees invalid syntax and exits non-zero, so PR resolution fails and the comment workflow aborts for that PR. Please pass the value through jq-safe escaping (or use --arg) instead of direct string interpolation.
Useful? React with 👍 / 👎.
Shubhank-Jonnada
pushed a commit
that referenced
this pull request
May 12, 2026
…h unit tests (#293) * feat: add tasks management to HubSpot integration with unit tests * fix: refine hubspot task association logic * fix(hubspot): refine task action handling and tests Restrict HubSpot task updates to the intended task action paths and align task unit tests with the latest task behavior to keep task-scoped changes isolated. Made-with: Cursor * fix(hubspot): correct integration version * fix(hubspot): remove duplicate fetch in get_thread_id_from_ticket The function was making two consecutive identical context.fetch() calls for the ticket URL — a merge artifact from resolving conflicts when master was merged into ls/hubspot-tasks. The extra call shifted mock_context.fetch.call_args_list indices by one in the existing ticket-conversation tests, causing 15 failures in test_hubspot_tickets_unit.py. Removing the duplicate restores the single-fetch behaviour from master. * style(hubspot): apply ruff format to match project line-length Reflow lines in the new task handlers and tests to match the project's 120-char ruff configuration. No behavioural changes. * ci: retrigger Validate Integration after fork-PR comment fix Empty commit to retrigger CI on PR #293 so we can verify the new fork-PR comment pipeline (#313) works end-to-end: 1. Validate Integration (Tooling) should now go ✅ even on a fork PR (uploads artifact instead of attempting an inline 403-bound comment post). 2. Validate Integration Comment companion should run, resolve the PR number from the workflow_run event payload, and post the sticky validation-results comment. No code changes. Safe to drop / squash on merge. * ci: retrigger after fork PR resolution fix Empty commit to retrigger CI on PR #293 so we can verify the fork-PR resolution fix from #315 works end-to-end: Validate Integration Comment should now successfully resolve PR 293 via /pulls?head=lohitya:ls/hubspot-tasks (the previous /commits/{sha}/pulls endpoint was returning empty for fork SHAs) and post the sticky validation-results comment. No code changes. * fix(hubspot): align task actions with schema and version bump * test(hubspot): align task unit tests with hs_task_* inputs and adds context.py This commit adds context.py for structure validation and aligns canonical HubSpot task property names. * docs(hubspot): align README task sections with config schema This commit aligns README file with updated config schema * refactor(hubspot): remove dead context.py shim and simplify test imports - Delete unused tests/context.py (was scaffolding, never imported) - Simplify tests/conftest.py to only put integration root on sys.path - Replace per-file importlib.spec_from_file_location boilerplate with plain 'from hubspot.hubspot import ...' imports across all test files - Apply ruff format using the tooling ruff.toml config --------- Co-authored-by: Kai Koenig <kai@ventego-creative.co.nz>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #314.
What
Fixes the
Resolve PR numberstep in.github/workflows/validate-integration-comment.ymlso it actually finds fork PRs. Switches the fallback API call from:to:
HEAD_USERis derived fromworkflow_run.head_repository.full_name(which is<user>/<repo>for both same-repo and fork PRs);HEAD_BRANCHisworkflow_run.head_branch. Both come from the trusted event payload — same security property the original Codex review was after. Neither is influenceable by anything that ran on the runner during validation.Why
The previous fallback endpoint (
/commits/{sha}/pulls) does not index commits that live only in a fork. Even though GitHub stores fork PR heads asrefs/pull/{n}/headin the upstream repo, the commit-to-pulls lookup ignores those refs. So on every fork PR the companion workflow failed with:Concrete failure: run 25200317388 on PR #293, commit
ecd929b.The
/pulls?head=user:branchendpoint does work for fork PRs because it filters by ref name and head-repo — neither requires the commit to be reachable from the upstream default branch.Verification
Verified manually that the new endpoint resolves the fork PR correctly:
End-to-end verification (after merge): push another empty commit to
lohitya/ls/hubspot-tasksto retrigger PR #293's CI; expectValidate Integration Commentto succeed and the sticky comment to appear on #293.Uniqueness assumption
The
(head_repo.full_name, head_branch)pair uniquely identifies an open PR in this repo: a fork branch can have at most one open PR against a given upstream (GitHub enforces this — opening a second PR with the same head/base pair is rejected). The--jqfilter explicitly checkshead.repo.full_nameANDhead.refso we're not relying solely on the API'shead=user:branchquery parameter.One-time blind spot during this PR's review
Same as #313: this PR's own validation comment won't appear, because the workflow file change is on the PR branch and
workflow_runreads from the default branch. The validate workflow itself will run normally (✅).