Bug: Docker tags use merge commit SHA instead of actual HEAD SHA in PR builds #2
Description
🐛 Bug Report
Description
When building Docker images from pull requests, the action generates tags using the merge commit SHA instead of the actual HEAD commit SHA from the PR branch. This causes confusion as the tag doesn't match the commit that was actually pushed.
Expected Behavior
Docker image tags should use the actual commit SHA from the PR's HEAD branch:
- Expected tag:
dev-ef0c2f5(actual commit on the branch) - Actual tag:
dev-2840013(GitHub's temporary merge preview commit)
Current Behavior
The action uses github.sha which in PR contexts points to GitHub's simulated merge commit rather than the actual commit being tested.
Example
See PR #18 in unthread-webhook-server:
- Latest commit:
ef0c2f570b04fb2ce31036c7372e99b3562d274b - Merge commit (used in tag):
2840013a5cdc7f1faf7de04e1ae795c18b581e80 - Tag generated:
dev-2840013❌ - Tag expected:
dev-ef0c2f5✅
Root Cause
In action.yml and detect-build-flow.sh, the action relies on GITHUB_SHA environment variable which:
- For push events: Contains the actual commit SHA ✅
- For pull_request events: Contains the merge commit SHA ❌
Proposed Solution
Option 1: Use conditional SHA resolution in action.yml
- name: Resolve Commit SHA
id: sha
shell: bash
run: |
if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then
echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
else
echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT
fi
- name: Detect Build Flow and Generate Tags
id: detect
shell: bash
run: |
bash ${{ github.action_path }}/scripts/detect-build-flow.sh
env:
GITHUB_SHA: ${{ steps.sha.outputs.sha }} # Override with correct SHA
MAIN_BRANCH: ${{ inputs.main-branch }}
# ... rest of env varsOption 2: Update detect-build-flow.sh to handle PR context
# Resolve correct SHA based on event type
if [ "$GITHUB_EVENT_NAME" = "pull_request" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_target" ]; then
# For PRs, use the head SHA from the PR event payload
RESOLVED_SHA="${GITHUB_HEAD_SHA:-$GITHUB_SHA}"
else
RESOLVED_SHA="$GITHUB_SHA"
fi
short_sha=$(get_short_sha "$RESOLVED_SHA")And pass GITHUB_HEAD_SHA from action.yml:
env:
GITHUB_HEAD_SHA: ${{ github.event.pull_request.head.sha }}Additional Context
This is a common gotcha in GitHub Actions where github.sha behaves differently across event types. Many actions face this same issue.
References
- GitHub Actions Context Documentation
- docker/metadata-action handles this by checking event type
Environment
- Action version:
v1.0.1 - Event type:
pull_request - Workflow: Building PRs to dev/main branches
Priority: Medium - Causes confusion but doesn't break functionality
Impact: All PR builds generate tags with incorrect/confusing commit references