Fix: Use HEAD SHA instead of merge commit SHA for PR build tags

[Copilot]

GitHub Actions provides github.sha as the merge commit SHA for pull request events, not the actual commit being tested. This causes PR builds to generate tags like dev-2840013 (merge commit) instead of dev-ef0c2f5 (actual commit).

Changes

Add SHA resolution step in action.yml:

• Conditionally select github.event.pull_request.head.sha for PR events
• Use github.sha for push and other event types
• Pass resolved SHA to detect-build-flow.sh via GITHUB_SHA environment variable
• Update Docker image revision label to use resolved SHA

- name: Resolve Commit SHA
  id: sha
  shell: bash
  run: |
    if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then
      echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
    else
      echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT
    fi

No changes to shell scripts required—detect-build-flow.sh already reads from GITHUB_SHA environment variable.

Behavior

Event Type	Before	After
PR events	Uses merge commit SHA	Uses actual HEAD SHA
Push events	Uses commit SHA	Uses commit SHA (unchanged)

Example

PR with commit ef0c2f570b04fb2ce31036c7372e99b3562d274b:

• Before: Tag dev-2840013 (GitHub's temporary merge commit)
• After: Tag dev-ef0c2f5 (actual commit from branch)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Bug: Docker tags use merge commit SHA instead of actual HEAD SHA in PR builds</issue_title>
<issue_description>## 🐛 Bug Report

Description

When building Docker images from pull requests, the action generates tags using the merge commit SHA instead of the actual HEAD commit SHA from the PR branch. This causes confusion as the tag doesn't match the commit that was actually pushed.

Expected Behavior

Docker image tags should use the actual commit SHA from the PR's HEAD branch:

• Expected tag: dev-ef0c2f5 (actual commit on the branch)
• Actual tag: dev-2840013 (GitHub's temporary merge preview commit)

Current Behavior

The action uses github.sha which in PR contexts points to GitHub's simulated merge commit rather than the actual commit being tested.

Example

See PR #18 in unthread-webhook-server:

• Latest commit: ef0c2f570b04fb2ce31036c7372e99b3562d274b
• Merge commit (used in tag): 2840013a5cdc7f1faf7de04e1ae795c18b581e80
• Tag generated: dev-2840013 ❌
• Tag expected: dev-ef0c2f5 ✅

Root Cause

In action.yml and detect-build-flow.sh, the action relies on GITHUB_SHA environment variable which:

• For push events: Contains the actual commit SHA ✅
• For pull_request events: Contains the merge commit SHA ❌

Proposed Solution

Option 1: Use conditional SHA resolution in action.yml

- name: Resolve Commit SHA
  id: sha
  shell: bash
  run: |
    if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then
      echo "sha=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
    else
      echo "sha=${{ github.sha }}" >> $GITHUB_OUTPUT
    fi

- name: Detect Build Flow and Generate Tags
  id: detect
  shell: bash
  run: |
    bash ${{ github.action_path }}/scripts/detect-build-flow.sh
  env:
    GITHUB_SHA: ${{ steps.sha.outputs.sha }}  # Override with correct SHA
    MAIN_BRANCH: ${{ inputs.main-branch }}
    # ... rest of env vars

Option 2: Update detect-build-flow.sh to handle PR context

# Resolve correct SHA based on event type
if [ "$GITHUB_EVENT_NAME" = "pull_request" ] || [ "$GITHUB_EVENT_NAME" = "pull_request_target" ]; then
    # For PRs, use the head SHA from the PR event payload
    RESOLVED_SHA="${GITHUB_HEAD_SHA:-$GITHUB_SHA}"
else
    RESOLVED_SHA="$GITHUB_SHA"
fi

short_sha=$(get_short_sha "$RESOLVED_SHA")

And pass GITHUB_HEAD_SHA from action.yml:

env:
  GITHUB_HEAD_SHA: ${{ github.event.pull_request.head.sha }}

Additional Context

This is a common gotcha in GitHub Actions where github.sha behaves differently across event types. Many actions face this same issue.

References

• GitHub Actions Context Documentation
• docker/metadata-action handles this by checking event type

Environment

• Action version: v1.0.1
• Event type: pull_request
• Workflow: Building PRs to dev/main branches

---

Priority: Medium - Causes confusion but doesn't break functionality
Impact: All PR builds generate tags with incorrect/confusing commit references</issue_description>

<agent_instructions>Let's use the head sha instead of the merge sha, I want to make sure that users should be able to know which build to use based on the commit sha.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Bug: Docker tags use merge commit SHA instead of actual HEAD SHA in PR builds #2

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.