Merge pull request #417 from igerber/fix-audit-checkout-head

Use refs/pull/N/head for AI review checkout (unblock /ai-review on merged PRs)

Author: igerber

.github/workflows/ai_pr_review.yml

@@ -70,24 +70,52 @@ jobs:
             const { owner, repo } = context.repo;
             const pr = await github.rest.pulls.get({ owner, repo, pull_number: prNumber });
 
+            // head.repo can be null on fork PRs from deleted forks; fall back
+            // to the base repo so checkout still has a sensible target.
+            const headRepoFullName =
+              pr.data.head.repo?.full_name || `${owner}/${repo}`;
+
             core.setOutput("number", prNumber);
             core.setOutput("title", pr.data.title || "");
             core.setOutput("body", pr.data.body || "");
             core.setOutput("base_sha", pr.data.base.sha);
             core.setOutput("head_sha", pr.data.head.sha);
             core.setOutput("base_ref", pr.data.base.ref);
             core.setOutput("head_ref", pr.data.head.ref);
+            core.setOutput("head_repo_full_name", headRepoFullName);
+            core.setOutput("state", pr.data.state);
+
+      # Closed/merged PR (e.g. `/ai-review` rerun on a merged PR):
+      # use the base-repo mirror of the PR head, which GitHub keeps
+      # durably even after the fork is deleted or branches removed.
+      # The previous workflow used `refs/pull/<N>/merge`, which is
+      # garbage-collected on closed PRs — this path replaces that.
+      - uses: actions/checkout@v6
+        if: steps.pr.outputs.state != 'open'
+        with:
+          ref: refs/pull/${{ steps.pr.outputs.number }}/head
 
+      # Open PR: check out by head_sha from the head repo (= base repo
+      # for owner PRs, = the fork for fork PRs). This avoids the
+      # documented race where `refs/pull/<N>/head` on the base repo
+      # has not yet mirrored a freshly API-created PR's head
+      # (see .claude/commands/submit-pr.md:327-345). head_sha is
+      # guaranteed to exist on the head repo for an open PR.
       - uses: actions/checkout@v6
+        if: steps.pr.outputs.state == 'open'
         with:
-          ref: refs/pull/${{ steps.pr.outputs.number }}/merge
+          repository: ${{ steps.pr.outputs.head_repo_full_name }}
+          ref: ${{ steps.pr.outputs.head_sha }}
 
-      - name: Pre-fetch base and head refs
+      - name: Pre-fetch base SHA
         run: |
           set -euo pipefail
-          git fetch --no-tags origin \
-            "${{ steps.pr.outputs.base_ref }}" \
-            +refs/pull/${{ steps.pr.outputs.number }}/head
+          # base_sha lives on the base repo (github.repository), which differs
+          # from origin when this is an open fork PR. Add an explicit `base`
+          # remote so `git diff BASE_SHA HEAD_SHA` finds the base-side tree
+          # regardless of which checkout path ran.
+          git remote add base "https://github.com/${{ github.repository }}.git"
+          git fetch --no-tags --depth=1 base "${{ steps.pr.outputs.base_sha }}"
 
       - name: Fetch previous AI review (if any)
         id: prev_review
@@ -125,7 +153,14 @@ jobs:
           set -euo pipefail
           PROMPT=.github/codex/prompts/pr_review_compiled.md
 
-          cat .github/codex/prompts/pr_review.md > "$PROMPT"
+          # Source the review prompt from base_sha rather than the PR head.
+          # The prompt defines HOW the reviewer reviews; sourcing it from
+          # base prevents a PR from modifying its own review rules. (Note:
+          # docs/methodology/REGISTRY.md and TODO.md remain from the PR
+          # head intentionally - the prompt instructs the reviewer to
+          # recognize PR-added Note/Deviation labels and tracked TODOs as
+          # mitigations, so those must reflect the PR's edits.)
+          git show "${BASE_SHA}":.github/codex/prompts/pr_review.md > "$PROMPT"
 
           # Sanitize untrusted text so hostile content can't close the
           # wrapper tags and inject instructions to the reviewer.