[plan] Fix resolve_host_repo.cjs to correctly identify callee repo in cross-org workflow_call

[github-actions]

Context

Issue #24949 reports that when a reusable workflow is invoked via workflow_call from a different org (same enterprise), resolve_host_repo.cjs incorrectly resolves to the caller repository instead of the callee (platform) repository.

Root Cause

actions/setup/js/resolve_host_repo.cjs (line 38) uses GITHUB_WORKFLOW_REF to determine the host repo. However, per GitHub Actions documentation, github.workflow_ref (and the GITHUB_WORKFLOW_REF env var) resolves to the top-level caller's workflow ref in workflow_call contexts — not the reusable workflow being executed.

The comment on line 14 incorrectly states:

"GITHUB_WORKFLOW_REF always reflects the currently executing workflow file"

This is only true for non-workflow_call scenarios.

Required Fix

In actions/setup/js/resolve_host_repo.cjs:

1. After extracting workflowRepo from GITHUB_WORKFLOW_REF, check whether it matches GITHUB_REPOSITORY (i.e., both are the caller's repo — cross-org workflow_call scenario)
2. If they match but this is a workflow_call invocation (detectable via GITHUB_EVENT_NAME === 'workflow_call' or by the run context), fall back to the same referenced_workflows API lookup that check_workflow_timestamp_api.cjs uses (lines 118–157 in that file):
   • Call GET /repos/{GITHUB_REPOSITORY}/actions/runs/{GITHUB_RUN_ID}
   • Inspect referenced_workflows[] entries to find the one matching the lock file name
   • Extract the correct callee repository and ref from that entry
3. Set target_repo, target_repo_name, and target_ref outputs from the resolved callee values

Files to Modify

• actions/setup/js/resolve_host_repo.cjs — main fix
• actions/setup/js/resolve_host_repo.cjs test file (if it exists) — add cross-org workflow_call test case

Reference

• actions/setup/js/check_workflow_timestamp_api.cjs lines 118–157 — existing referenced_workflows lookup to reuse
• The target_repo_name output was already designed for actions/create-github-app-token (comment on lines 76–77), confirming cross-org was anticipated

Acceptance Criteria

• When GITHUB_WORKFLOW_REF points to the caller repo (cross-org workflow_call), the script queries the referenced_workflows API and resolves the correct callee repo/ref
• Same-repo and same-org invocations continue to work as before
• Update/fix the misleading comment on line 14 about GITHUB_WORKFLOW_REF
• Tests cover the cross-org workflow_call scenario
  Related to Cross-org workflow_call: resolve_host_repo, checkout, and hash check all fail #24949

Generated by Plan Command for issue #24949 · ● 509.4K · ◷

• expires on Apr 8, 2026, 10:23 PM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.

The Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ● 242.2K · ◷