Skip to content

Bug: create-pull-request target-repo is ignored by git operations in safe_outputs job #15500

New issue
New issue
Closed
#15501
Closed
Bug: create-pull-request target-repo is ignored by git operations in safe_outputs job#15500
#15501
Assignees
pelikhancopilot-swe-agent
@Yoyokrazy

Description

@Yoyokrazy
Yoyokrazy
opened on Feb 13, 2026

Summary

When create-pull-request is configured with target-repo, the safe_outputs job's git operations (checkout, fetch, push) still target the source repository instead of the target. The target-repo value is only used by the GitHub API call to create the PR — all local git operations use the source repo.

This means:

  • git fetch origin <base-branch> fetches from the source repo (fails if branch doesn't exist there)
  • git push origin <branch> pushes to the source repo (wrong repo)
  • git ls-remote --heads origin checks the source repo
  • actions/checkout checks out the source repo

The bug is masked when base-branch happens to exist on both repos (e.g., main), but is exposed when using a branch that only exists on the target (e.g., vnext).

Reproduction

Workflow in org/engineering-repo targeting org/docs-repo with a non-default branch:

safe-outputs:
    github-token: ${{ secrets.CROSS_REPO_PAT }}
    create-pull-request:
        target-repo: 'org/docs-repo'
        base-branch: vnext
        draft: true

The vnext branch exists on org/docs-repo but not on org/engineering-repo.

Result: fatal: couldn't find remote ref vnext

Note: base-branch: main works only by coincidence — main exists on both repos.

Root cause

Two places in the code:

1. Compiler: checkout always targets source repo

compiler_safe_outputs_steps.go L118:

The Checkout repository step never sets the repository: parameter for cross-repo cases (only for trialMode). It always checks out github.repository (the source repo).

2. Compiler: git remote points to source repo

compiler_safe_outputs_steps.go L130:

REPO_NAME: ${{ github.repository }}

The git remote is configured to the source repo, not the target.

3. Handler: no remote reconfiguration

create_pull_request.cjs L463:

await exec.exec(`git fetch origin ${baseBranch}`);

The handler assumes origin already points to the target repo. It never reconfigures the git remote when target-repo is set.

All subsequent git operations (git push origin, git ls-remote --heads origin, git checkout -b ... origin/...) also go to the source repo.

Expected behavior

When target-repo is set on create-pull-request, the safe_outputs job should:

  • Either checkout the target repo directly (via repository: param on actions/checkout), OR
  • Reconfigure the git remote to point to the target repo before git fetch/git push

Workaround

Use base-branch: main (which exists on both repos). The PR will target main in the target repo. The reviewer must manually change the base branch to vnext after creation.

Environment

  • gh-aw CLI: v0.43.7
  • Compiler output confirms the issue — safe_outputs job in the .lock.yml shows:
    • Checkout repository with no repository: parameter
    • REPO_NAME: ${{ github.repository }} in git config
    • Handler config has "target-repo":"org/docs-repo","base_branch":"vnext" but the git remote is never updated

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions