From fcde07c959953c90211d0ff4bd788a32f862c0d7 Mon Sep 17 00:00:00 2001 From: "Molecule AI Dev Engineer A (Kimi)" Date: Sat, 23 May 2026 21:33:30 +0000 Subject: [PATCH] fix(ci): guard review-check against empty PRs (head == base) Prevents pull_request_target workflows from reporting failure statuses on main when a PR branch is accidentally force-pushed to the same commit as the base branch (e.g., after a rebase that drops all commits). The 2026-05-23 incident: 4 PRs (#1709, #1710, #1712, #1702) were rebased to main but their patches were already upstream. The resulting empty branches had head_sha == base_sha == main HEAD. Security-review runs that started before the PRs were closed attached failure statuses directly to main's HEAD commit, turning main red. This guard exits 0 early for any open PR where head.sha equals base.sha, so empty PRs never gate. Refs #1741 --- .gitea/scripts/review-check.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitea/scripts/review-check.sh b/.gitea/scripts/review-check.sh index 61e445ad8..ad526bbcf 100755 --- a/.gitea/scripts/review-check.sh +++ b/.gitea/scripts/review-check.sh @@ -128,6 +128,7 @@ fi PR_AUTHOR=$(jq -r '.user.login // ""' "$PR_JSON") PR_HEAD_SHA=$(jq -r '.head.sha // ""' "$PR_JSON") PR_BASE_REF=$(jq -r '.base.ref // ""' "$PR_JSON") +PR_BASE_SHA=$(jq -r '.base.sha // ""' "$PR_JSON") PR_STATE=$(jq -r '.state // ""' "$PR_JSON") DEFAULT_BRANCH="${DEFAULT_BRANCH:-main}" debug "pr_author=${PR_AUTHOR} pr_head=${PR_HEAD_SHA:0:7} pr_base=${PR_BASE_REF} pr_state=${PR_STATE}" @@ -136,6 +137,10 @@ if [ "$PR_STATE" != "open" ]; then echo "::notice::PR ${PR_NUMBER} is ${PR_STATE} — exiting 0 (closed PRs do not gate)" exit 0 fi +if [ "$PR_HEAD_SHA" = "$PR_BASE_SHA" ]; then + echo "::notice::PR ${PR_NUMBER} has no diff (head == base) — exiting 0 (empty PRs do not gate)" + exit 0 +fi if [ "$PR_BASE_REF" != "$DEFAULT_BRANCH" ]; then echo "::notice::PR ${PR_NUMBER} targets ${PR_BASE_REF:-} not ${DEFAULT_BRANCH} — ${TEAM}-review gate not applicable" exit 0 -- 2.52.0