Summary
On push events, the action associates an open PR via gh pr list --head "${{ github.ref_name }}". That matches by head-branch name across all repositories, so an open cross-repo (fork) PR whose head branch happens to be named the same as the pushed branch gets selected. Since upload_coverage.py prefers pull_request_number over ref, the push's coverage is filed under that unrelated PR instead of the branch, and the branch baseline is never recorded.
Impact
This reliably breaks the default branch baseline: if any contributor has an open PR from their fork's main branch (head branch main), every push to your main is attributed to that PR. The default-branch coverage never populates, so every other PR's coverage comment shows "Coverage data for the main branch is not yet available."
Root cause
action.yml (push path):
else
COMMIT_OID="${{ github.sha }}"
REF="${{ github.ref }}"
PR_NUMBER=$(gh pr list \
--repo "$GITHUB_REPOSITORY" \
--head "${{ github.ref_name }}" \ # not scoped to the base repo's own head branches
--state open \
--json number \
--jq '.[0].number // empty' 2>/dev/null || true)
fi--repo only selects which repository's PR list to query; a fork PR is still part of that list (it targets the base repo, only its head branch lives in the fork). --head <branch> matches the head-branch name regardless of where the head lives, so a fork PR with head branch <branch> is returned. Then upload_coverage.py:
if pr_number:
payload["pull_request_number"] = int(pr_number)
elif ref:
payload["ref"] = refpull_request_number wins, so the ref (the branch) is dropped from the payload.
Reproduction
- The repo has an open PR from a fork whose head branch is named
main (head someuser:main → you:main).
- A push to
main (the default branch) triggers the upload.
- The action log shows:
Upload parameters
commit_oid: <sha>
ref: refs/heads/main
pr_number: <the unrelated fork PR number>
Coverage report uploaded successfully.
- Coverage is attributed to that PR; the
main baseline stays empty and PRs report "Coverage data for the main branch is not yet available."
Confirmed that gh pr list --repo OWNER/REPO --head main --state open returns the fork PR (isCrossRepository: true), so the existing --repo argument does not prevent this.
Suggested fix
Scope the PR lookup to head branches in the base repository itself, so fork PRs aren't matched:
COMMIT_OID="${{ github.sha }}"
REF="${{ github.ref }}"
+ REPO_OWNER="${GITHUB_REPOSITORY%%/*}"
+ REPO_NAME="${GITHUB_REPOSITORY#*/}"
PR_NUMBER=$(gh pr list \
--repo "$GITHUB_REPOSITORY" \
--head "${{ github.ref_name }}" \
--state open \
- --json number \
- --jq '.[0].number // empty' 2>/dev/null || true)
+ --json number,headRepositoryOwner,headRepository \
+ --jq "[.[] | select(.headRepositoryOwner.login == \"$REPO_OWNER\" and .headRepository.name == \"$REPO_NAME\")] | .[0].number // empty" 2>/dev/null || true)Alternatives: skip PR association entirely when the pushed ref is the default branch, or prefer ref over pull_request_number for push events.
Drafted by Claude (Anthropic AI assistant).
Summary
On
pushevents, the action associates an open PR viagh pr list --head "${{ github.ref_name }}". That matches by head-branch name across all repositories, so an open cross-repo (fork) PR whose head branch happens to be named the same as the pushed branch gets selected. Sinceupload_coverage.pypreferspull_request_numberoverref, the push's coverage is filed under that unrelated PR instead of the branch, and the branch baseline is never recorded.Impact
This reliably breaks the default branch baseline: if any contributor has an open PR from their fork's
mainbranch (head branchmain), every push to yourmainis attributed to that PR. The default-branch coverage never populates, so every other PR's coverage comment shows "Coverage data for themainbranch is not yet available."Root cause
action.yml(push path):--repoonly selects which repository's PR list to query; a fork PR is still part of that list (it targets the base repo, only its head branch lives in the fork).--head <branch>matches the head-branch name regardless of where the head lives, so a fork PR with head branch<branch>is returned. Thenupload_coverage.py:pull_request_numberwins, so theref(the branch) is dropped from the payload.Reproduction
main(headsomeuser:main→you:main).main(the default branch) triggers the upload.mainbaseline stays empty and PRs report "Coverage data for themainbranch is not yet available."Confirmed that
gh pr list --repo OWNER/REPO --head main --state openreturns the fork PR (isCrossRepository: true), so the existing--repoargument does not prevent this.Suggested fix
Scope the PR lookup to head branches in the base repository itself, so fork PRs aren't matched:
COMMIT_OID="${{ github.sha }}" REF="${{ github.ref }}" + REPO_OWNER="${GITHUB_REPOSITORY%%/*}" + REPO_NAME="${GITHUB_REPOSITORY#*/}" PR_NUMBER=$(gh pr list \ --repo "$GITHUB_REPOSITORY" \ --head "${{ github.ref_name }}" \ --state open \ - --json number \ - --jq '.[0].number // empty' 2>/dev/null || true) + --json number,headRepositoryOwner,headRepository \ + --jq "[.[] | select(.headRepositoryOwner.login == \"$REPO_OWNER\" and .headRepository.name == \"$REPO_NAME\")] | .[0].number // empty" 2>/dev/null || true)Alternatives: skip PR association entirely when the pushed ref is the default branch, or prefer
refoverpull_request_numberforpushevents.Drafted by Claude (Anthropic AI assistant).