From 50a7416c8451125e02dfa1e2598d2d4ad5a7bd56 Mon Sep 17 00:00:00 2001
From: Matt Ramotar <matt.ramotar@icloud.com>
Date: Sun, 7 Jun 2026 07:05:36 -0400
Subject: [PATCH] Fix CI checkout and coverage upload for fork PRs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `build-and-test` checkout pinned `ref: ${{ github.head_ref || github.ref }}`
without a matching `repository`, so for cross-repository (fork) PRs Actions
looked for the head branch in the base repo and failed at checkout in ~7s with
"a branch or tag with the name '<head-branch>' could not be found" — before any
build or test ran. This affected all external/fork contributions (e.g. #735).

- Checkout: resolve `repository` and `ref` from the PR head when present
  (`github.event.pull_request.head.*`), falling back to `github.repository` /
  `github.ref` for push builds. The `ref` uses the head branch *name* (not the
  head SHA) so HEAD stays attached to a branch — the KMMBridge plugin runs
  `git pull --tags`, which fails on a detached HEAD ("you are not currently on a
  branch"). Fork PRs now check out the contributor's head branch; same-repo PRs
  and pushes to main are unchanged.
- Codecov: skip the upload on fork PRs, where `CODECOV_TOKEN` is unavailable and
  `fail_ci_if_error: true` would otherwise fail the job. Coverage is still
  uploaded and enforced for same-repo PRs and pushes to main.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index faf1ce96..a9f581ac 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,7 +18,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.head_ref || github.ref }}
+          # PR builds (including forks) check out the PR head from its source repo;
+          # push builds fall back to the pushed ref on this repo. Without the
+          # repository override, fork-PR checkouts look for the head branch in the
+          # base repo and fail with "a branch or tag ... could not be found".
+          # Use the branch name (not the head SHA) so HEAD stays attached to a
+          # branch — the KMMBridge plugin runs `git pull --tags`, which fails on a
+          # detached HEAD with "you are not currently on a branch".
+          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event.pull_request.head.ref || github.ref }}
           fetch-depth: 0
           persist-credentials: false
 
@@ -38,6 +46,10 @@ jobs:
         run: ./gradlew clean build koverXmlReport --stacktrace
 
       - name: Upload Coverage to Codecov
+        # Secrets (including CODECOV_TOKEN) are not exposed to fork PRs, so the
+        # upload would fail under fail_ci_if_error. Skip it for forks; coverage is
+        # still uploaded and enforced for same-repo PRs and pushes to main.
+        if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }}
         uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}