Fix bundle apply in safe_outputs: skip unshallow and emit matching fetch-refs step for cross-repo checkouts

[Copilot]

Problem

When the safe_outputs job applies a git bundle from the agent, it can fail with "Repository lacks these prerequisite commits" in two related ways:

1. Expensive unshallow: ensureFullHistoryForBundle was calling git fetch --unshallow origin, which pulls full history of large monorepos — slow, heavy, and unreliable.

2. Missing secondary-ref commits: When checkout: frontmatter declares fetch: refs (e.g. dsyme/ci-perf/*), the agent job fetches those refs so their tip commits are locally available. But safe_outputs only did a bare depth=1 checkout of the base branch — those secondary-ref commits were never fetched, so prerequisite recovery (git fetch origin <sha>) would also fail because the commits aren't reachable from any locally-known ref.

Changes

JS: Remove unshallow from bundle application (git_helpers.cjs, create_pull_request.cjs, push_to_pull_request_branch.cjs)

• ensureFullHistoryForBundle now skips the git fetch --unshallow call in shallow repos. It probes for shallowness and logs that it will rely on prerequisite recovery.
• Bundle fetch failures due to missing prerequisites still go through the existing recovery path: parse missing SHAs from stderr → git fetch origin <sha>... → retry. This handles the common case where the base branch advanced between agent and safe_outputs (the old commit is still reachable from origin).
• Updated tests to assert that bundle application does not trigger unshallow.

Go: Emit matching "Fetch additional refs" step in safe_outputs job (compiler_safe_outputs_steps.go, checkout_manager.go)

• Added GetCheckoutForRepository(repoSlug) to CheckoutManager to look up the resolvedCheckout entry for a given cross-repo target.
• buildSharedPRCheckoutSteps now checks whether the cross-repo targetRepoSlug has a matching checkout: config with fetch: refs declared. If so, it emits a "Fetch additional refs for <repo>" step — identical in structure to what generateFetchStepLines emits for the agent job, but:
  • conditionalized on the same if: condition as the shared checkout step
  • targets the workspace root (not a subdirectory path)
  • uses the safe_outputs-resolved checkout token
• Added 4 new test cases to compiler_safe_outputs_steps_test.go covering: match with fetch refs, match without fetch refs, no match, and push-to-pull-request-branch variant.

Result

For ci-perf workflows targeting github/github with fetch: [master, dsyme/ci-perf/*]:

• safe_outputs now emits a "Fetch additional refs for github/github" step after the git-credentials step, making those branch tips locally available before applyBundleToBranch runs.
• No more expensive unshallow call.
• Prerequisite recovery remains as a fallback for the base-branch-advanced race (old commit reachable from origin/master → git fetch origin <sha> works).

Fixes #35459

[Copilot]

Pull request overview

Fixes bundle apply failures in the safe_outputs job for large monorepos. The previous flow tried to unshallow before applying a git bundle (expensive and unreliable on big repos) and never fetched secondary fetch: refs declared in checkout: frontmatter, so bundle prerequisite commits weren't reachable. This PR drops the unshallow and emits an agent-job-equivalent fetch-refs step in safe_outputs, relying on the existing per-SHA prerequisite recovery as the fallback path.

Changes:

• Make ensureFullHistoryForBundle a probe-only function: no more git fetch --unshallow origin; rely on prerequisite-recovery in create_pull_request.cjs / push_to_pull_request_branch.cjs.
• Add CheckoutManager.GetCheckoutForRepository and have buildSharedPRCheckoutSteps emit a conditional "Fetch additional refs for <repo>" step (mirroring the agent-job fetch step) when the cross-repo target has a matching checkout: config with fetch: refs.
• Update tests (Go + JS) and rewrite the safe-outputs PR docs section.

Show a summary per file

File	Description
actions/setup/js/git_helpers.cjs	Strip the unshallow call from ensureFullHistoryForBundle; updated comments and warning text.
actions/setup/js/create_pull_request.cjs	Comment cleanup referencing the new no-unshallow behavior.
actions/setup/js/push_to_pull_request_branch.cjs	Comment cleanup referencing the new no-unshallow behavior.
actions/setup/js/git_helpers.test.cjs	Assert no unshallow call and align warning text expectations.
actions/setup/js/create_pull_request.test.cjs	Assert bundle apply does not trigger --unshallow.
actions/setup/js/push_to_pull_request_branch.test.cjs	Assert bundle apply does not trigger --unshallow.
pkg/workflow/checkout_manager.go	Add GetCheckoutForRepository lookup.
pkg/workflow/compiler_safe_outputs_steps.go	Emit conditional "Fetch additional refs" step for cross-repo target when checkout fetch: declared.
pkg/workflow/compiler_safe_outputs_steps_test.go	Add 4 cases covering fetch-step emission and the negative paths.
docs/src/content/docs/reference/safe-outputs-pull-requests.md	Rewrite the PR-creation section to describe bundle apply + fetch refs + single cross-repo target.
.github/workflows/jsweep.lock.yml	Lockfile body hash refresh.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 11/11 changed files
• Comments generated: 0