fix: query repo default branch instead of hardcoding 'main' (#20098) (#20099)

dsyme · web-flow · commit cc0d007909a3 · 2026-03-08T18:23:31.000Z
* fix: query repo default branch instead of hardcoding 'main' (#20098) When no explicit base branch is configured and the event context doesn't provide one, getBaseBranch() was falling back to hardcoded "main". This caused failures for repos whose default branch is not "main" (e.g. "master", "develop") - the git fetch for the base branch would fail with "fatal: couldn't find remote ref main". Fix: add a new step 5 that queries the GitHub API for the repository's default_branch before falling back to DEFAULT_BRANCH env var or "main". * fix: resolve base branch before cross-repo checkout; remove hardcoded 'master' fallback - In create_pull_request.cjs, move getBaseBranch() resolution to before checkoutManager.switchTo() so cross-repo checkout uses the correct default branch instead of hardcoded 'main' - In dynamic_checkout.cjs, remove the hardcoded 'master' fallback when 'main' is not found. This assumed only 'main' or 'master' could be the default branch, which is incorrect. The resolved branch is now always passed correctly by the caller. * test: add tests for no-silent-master-fallback behavior in dynamic_checkout * perf: use context.payload.repository.default_branch before API call in step 5 Most GitHub Actions event payloads include repository.default_branch, so we can read it directly from the payload without making an API call. Only fall back to repos.get() when: - targetRepo is explicitly provided (cross-repo: payload would have the wrong repo's default branch) - The payload doesn't include repository.default_branch This matches the pattern used in dispatch_workflow.cjs and avoids unnecessary API calls that count against rate limits. * update get base branch
diff --git a/actions/setup/js/create_pull_request.cjs b/actions/setup/js/create_pull_request.cjs
@@ -257,10 +257,17 @@ async function main(config = {}) {
     const { repo: itemRepo, repoParts } = repoResult;
     core.info(`Target repository: ${itemRepo}`);
 
+    // Resolve base branch for this target repository
+    // Use config value if set, otherwise resolve dynamically for the specific target repo
+    // Dynamic resolution is needed for issue_comment events on PRs where the base branch
+    // is not available in GitHub Actions expressions and requires an API call
+    // NOTE: Must be resolved before checkout so cross-repo checkout uses the correct branch
+    let baseBranch = configBaseBranch || (await getBaseBranch(repoParts));
+
     // Multi-repo support: Switch checkout to target repo if different from current
     // This enables creating PRs in multiple repos from a single workflow run
     if (checkoutManager && itemRepo) {
-      const switchResult = await checkoutManager.switchTo(itemRepo, { baseBranch: configBaseBranch });
+      const switchResult = await checkoutManager.switchTo(itemRepo, { baseBranch });
       if (!switchResult.success) {
         core.warning(`Failed to switch to repository ${itemRepo}: ${switchResult.error}`);
         return {
@@ -273,12 +280,6 @@ async function main(config = {}) {
       }
     }
 
-    // Resolve base branch for this target repository
-    // Use config value if set, otherwise resolve dynamically for the specific target repo
-    // Dynamic resolution is needed for issue_comment events on PRs where the base branch
-    // is not available in GitHub Actions expressions and requires an API call
-    let baseBranch = configBaseBranch || (await getBaseBranch(repoParts));
-
     // SECURITY: Sanitize dynamically resolved base branch to prevent shell injection
     const originalBaseBranch = baseBranch;
     baseBranch = normalizeBranchName(baseBranch);
diff --git a/actions/setup/js/dynamic_checkout.cjs b/actions/setup/js/dynamic_checkout.cjs
@@ -108,13 +108,7 @@ async function checkoutRepo(repoSlug, token, options = {}) {
     try {
       await exec.exec("git", ["checkout", "-B", baseBranch, `origin/${baseBranch}`]);
     } catch {
-      // Try 'master' if 'main' doesn't exist
-      if (baseBranch === "main") {
-        core.info("main branch not found, trying master");
-        await exec.exec("git", ["checkout", "-B", "master", "origin/master"]);
-      } else {
-        throw new Error(`Base branch ${baseBranch} not found in ${repoSlug}`);
-      }
+      throw new Error(`Base branch ${baseBranch} not found in ${repoSlug}`);
     }
 
     // Clean up any local changes
diff --git a/actions/setup/js/dynamic_checkout.test.cjs b/actions/setup/js/dynamic_checkout.test.cjs
@@ -167,6 +167,40 @@ describe("checkoutRepo slug validation", () => {
       expect(result.error).not.toContain("Invalid repository slug");
     }
   });
+
+  it("should fail with error when specified branch does not exist, not silently fall back", async () => {
+    // Simulate git checkout failing for the specified branch
+    let callCount = 0;
+    mockExec.exec = vi.fn().mockImplementation((_cmd, args) => {
+      if (args && args[0] === "checkout") {
+        throw new Error("fatal: Remote branch develop not found");
+      }
+      return Promise.resolve(0);
+    });
+
+    const result = await checkoutRepo("owner/repo", "fake-token", { baseBranch: "develop" });
+
+    // Should fail with an error about the branch, NOT silently fall back to master
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("develop");
+    expect(result.error).not.toContain("master");
+  });
+
+  it("should fail with error when 'main' branch does not exist, not silently fall back to master", async () => {
+    // Simulate git checkout failing for 'main' - previously this would silently try 'master'
+    mockExec.exec = vi.fn().mockImplementation((_cmd, args) => {
+      if (args && args[0] === "checkout") {
+        throw new Error("fatal: Remote branch main not found");
+      }
+      return Promise.resolve(0);
+    });
+
+    const result = await checkoutRepo("owner/repo", "fake-token", { baseBranch: "main" });
+
+    // Should fail rather than silently trying 'master'
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("main");
+  });
 });
 
 describe("getCurrentCheckoutRepo URL parsing", () => {
diff --git a/actions/setup/js/get_base_branch.cjs b/actions/setup/js/get_base_branch.cjs
@@ -2,6 +2,7 @@
 /// <reference types="@actions/github-script" />
 
 const { validateTargetRepo, parseAllowedRepos, getDefaultTargetRepo } = require("./repo_helpers.cjs");
+const { getErrorMessage } = require("./error_helpers.cjs");
 
 /**
  * Get the base branch name, resolving dynamically based on event context.
@@ -11,10 +12,12 @@ const { validateTargetRepo, parseAllowedRepos, getDefaultTargetRepo } = require(
  * 2. github.base_ref env var (set for pull_request/pull_request_target events)
  * 3. Pull request payload base ref (pull_request_review, pull_request_review_comment events)
  * 4. API lookup for issue_comment events on PRs (the PR's base ref is not in the payload)
- * 5. Fallback to DEFAULT_BRANCH env var or "main"
+ * 5. context.payload.repository.default_branch (included in most event payloads, no API call)
+ * 5b. API lookup via repos.get() when payload doesn't have it (e.g. cross-repo scenarios)
+ * 6. Fallback to DEFAULT_BRANCH env var or "main"
  *
  * @param {{owner: string, repo: string}|null} [targetRepo] - Optional target repository.
- *   If provided, API calls (step 4) use this instead of context.repo,
+ *   If provided, API calls (steps 4 and 5) use this instead of context.repo,
  *   which is needed for cross-repo scenarios where the target repo differs
  *   from the workflow repository.
  * @returns {Promise<string>} The base branch name
@@ -67,12 +70,57 @@ async function getBaseBranch(targetRepo = null) {
     } catch (/** @type {any} */ error) {
       // Fall through to default if API call fails
       if (typeof core !== "undefined") {
-        core.warning(`Failed to fetch PR base branch: ${error.message}`);
+        core.warning(`Failed to fetch PR base branch: ${getErrorMessage(error)}`);
       }
     }
   }
 
-  // 5. Fallback to DEFAULT_BRANCH env var or "main"
+  // 5. Repository default branch - from payload first, then API lookup
+  // Many events include context.payload.repository.default_branch, so we check that
+  // first to avoid an unnecessary API call and reduce rate-limit risk.
+  // Only fall back to repos.get() when the payload doesn't have the value
+  // (e.g. cross-repo scenarios where targetRepo differs from the workflow repo).
+  {
+    const repoOwner = targetRepo?.owner ?? (typeof context !== "undefined" ? context.repo?.owner : null);
+    const repoName = targetRepo?.repo ?? (typeof context !== "undefined" ? context.repo?.repo : null);
+
+    // If no targetRepo override, check the payload first (free - no API call)
+    if (!targetRepo && typeof context !== "undefined" && context.payload?.repository?.default_branch) {
+      return context.payload.repository.default_branch;
+    }
+
+    // Otherwise fall back to repos.get() API call
+    if (repoOwner && repoName && typeof github !== "undefined") {
+      try {
+        // SECURITY: Validate target repo against allowlist before any API calls
+        const targetRepoSlug = `${repoOwner}/${repoName}`;
+        const allowedRepos = parseAllowedRepos(process.env.GH_AW_ALLOWED_REPOS);
+        if (allowedRepos.size > 0) {
+          const defaultRepo = getDefaultTargetRepo();
+          const validation = validateTargetRepo(targetRepoSlug, defaultRepo, allowedRepos);
+          if (!validation.valid) {
+            if (typeof core !== "undefined") {
+              core.warning(`ERR_VALIDATION: ${validation.error}`);
+            }
+            return process.env.DEFAULT_BRANCH || "main";
+          }
+        }
+
+        const { data: repoData } = await github.rest.repos.get({
+          owner: repoOwner,
+          repo: repoName,
+        });
+        return repoData.default_branch;
+      } catch (/** @type {any} */ error) {
+        // Fall through to default if API call fails
+        if (typeof core !== "undefined") {
+          core.warning(`Failed to fetch repository default branch: ${getErrorMessage(error)}`);
+        }
+      }
+    }
+  }
+
+  // 6. Fallback to DEFAULT_BRANCH env var or "main"
   return process.env.DEFAULT_BRANCH || "main";
 }
 
diff --git a/actions/setup/js/get_base_branch.test.cjs b/actions/setup/js/get_base_branch.test.cjs
@@ -99,4 +99,115 @@ describe("getBaseBranch", () => {
     const result3 = await getBaseBranch();
     expect(result3).toBe("custom-branch");
   });
+
+  it("should return context.payload.repository.default_branch without an API call", async () => {
+    const mockGetRepo = vi.fn();
+    global.github = {
+      rest: { repos: { get: mockGetRepo } },
+    };
+    global.context = {
+      repo: { owner: "test-owner", repo: "test-repo" },
+      eventName: "push",
+      payload: { repository: { default_branch: "trunk" } },
+    };
+
+    const { getBaseBranch } = await import("./get_base_branch.cjs");
+    const result = await getBaseBranch();
+
+    expect(result).toBe("trunk");
+    expect(mockGetRepo).not.toHaveBeenCalled();
+  });
+
+  it("should query GitHub API for repo default branch when payload does not have it", async () => {
+    const mockGetRepo = vi.fn().mockResolvedValue({ data: { default_branch: "master" } });
+    global.github = {
+      rest: {
+        repos: {
+          get: mockGetRepo,
+        },
+      },
+    };
+    global.context = {
+      repo: { owner: "test-owner", repo: "test-repo" },
+      eventName: "workflow_dispatch",
+      payload: {},
+    };
+
+    const { getBaseBranch } = await import("./get_base_branch.cjs");
+    const result = await getBaseBranch();
+
+    expect(mockGetRepo).toHaveBeenCalledWith({ owner: "test-owner", repo: "test-repo" });
+    expect(result).toBe("master");
+  });
+
+  it("should use repos.get() for targetRepo (cross-repo) even when payload has default_branch", async () => {
+    const mockGetRepo = vi.fn().mockResolvedValue({ data: { default_branch: "develop" } });
+    global.github = {
+      rest: { repos: { get: mockGetRepo } },
+    };
+    global.context = {
+      repo: { owner: "workflow-owner", repo: "workflow-repo" },
+      eventName: "issue_comment",
+      payload: { repository: { default_branch: "main" } },
+    };
+
+    const { getBaseBranch } = await import("./get_base_branch.cjs");
+    // targetRepo differs from the workflow repo - must use API, not payload
+    const result = await getBaseBranch({ owner: "target-owner", repo: "target-repo" });
+
+    expect(mockGetRepo).toHaveBeenCalledWith({ owner: "target-owner", repo: "target-repo" });
+    expect(result).toBe("develop");
+  });
+
+  it("should use targetRepo for API default branch lookup", async () => {
+    const mockGetRepo = vi.fn().mockResolvedValue({ data: { default_branch: "develop" } });
+    global.github = {
+      rest: {
+        repos: {
+          get: mockGetRepo,
+        },
+      },
+    };
+
+    const { getBaseBranch } = await import("./get_base_branch.cjs");
+    const result = await getBaseBranch({ owner: "target-owner", repo: "target-repo" });
+
+    expect(mockGetRepo).toHaveBeenCalledWith({ owner: "target-owner", repo: "target-repo" });
+    expect(result).toBe("develop");
+  });
+
+  it("should fall through to DEFAULT_BRANCH when API lookup for repo default branch fails", async () => {
+    const mockWarning = vi.fn();
+    global.github = {
+      rest: {
+        repos: {
+          get: vi.fn().mockRejectedValue(new Error("API error")),
+        },
+      },
+    };
+    global.core = { warning: mockWarning };
+    process.env.DEFAULT_BRANCH = "trunk";
+
+    const { getBaseBranch } = await import("./get_base_branch.cjs");
+    const result = await getBaseBranch({ owner: "owner", repo: "repo" });
+
+    expect(result).toBe("trunk");
+    expect(mockWarning).toHaveBeenCalledWith(expect.stringContaining("Failed to fetch repository default branch"));
+  });
+
+  it("should fall through to hardcoded main when API lookup fails and no DEFAULT_BRANCH set", async () => {
+    global.github = {
+      rest: {
+        repos: {
+          get: vi.fn().mockRejectedValue(new Error("API error")),
+        },
+      },
+    };
+    global.core = { warning: vi.fn() };
+
+    const { getBaseBranch } = await import("./get_base_branch.cjs");
+    const result = await getBaseBranch({ owner: "owner", repo: "repo" });
+
+    expect(result).toBe("main");
+  });
 });
