fix: release-doc-sync action checkout pollutes caller's working tree (#20)

TMHSDigital · web-flow · commit ba757785bb34 · 2026-04-25T10:55:11.000-04:00
The composite action was checking out the meta-repo to a path inside GITHUB_WORKSPACE (.release-doc-sync). The caller's release.yml does git add -A after the action runs, which picked up the directory as a 160000-mode gitlink (submodule pointer to meta-repo HEAD SHA). Every release commit was polluted with this stale pointer. Fix: move the meta-repo checkout to ${{ runner.temp }}/release-doc-sync, which is outside the workspace and not visible to the caller's git add. The action's run step's working-directory updated to match. Surfaced during Phase 2b smoke test on Docker (#5). Caught before Phase 2c parallel rollout could propagate the pollution to 5 more tool repos. Adds a regression test guarding against future re-introduction. Signed-off-by: 154358121+TMHSDigital@users.noreply.github.com Made-with: Cursor Signed-off-by: 154358121+TMHSDigital@users.noreply.github.com
diff --git a/.github/actions/release-doc-sync/action.yml b/.github/actions/release-doc-sync/action.yml
@@ -87,15 +87,17 @@ runs:
   using: 'composite'
   steps:
     # The sync script lives in this repo. Whether the caller is the meta-repo
-    # itself or a tool repo, we always need the script at a known path. Use a
-    # dedicated subdirectory so we do not clobber the caller's own checkout
-    # (which lives at GITHUB_WORKSPACE).
+    # itself or a tool repo, we always need the script at a known path. Check
+    # out to runner.temp (OUTSIDE GITHUB_WORKSPACE) so the caller's release
+    # commit step (typically `git add -A`) does not pick up the meta-repo
+    # checkout as a 160000-mode gitlink. See v1.8.1 changelog for the bug
+    # this avoids; regression-tested in tests/test_release_doc_sync.py.
     - name: Checkout release-doc-sync script
       uses: actions/checkout@v5
       with:
         repository: TMHSDigital/Developer-Tools-Directory
         ref: ${{ inputs.meta-repo-ref }}
-        path: .release-doc-sync
+        path: ${{ runner.temp }}/release-doc-sync
 
     - name: Set up Python
       uses: actions/setup-python@v5
@@ -105,7 +107,7 @@ runs:
     - name: Run release-doc-sync
       id: run
       shell: bash
-      working-directory: .release-doc-sync
+      working-directory: ${{ runner.temp }}/release-doc-sync
       env:
         PLUGIN_VERSION: ${{ inputs.plugin-version }}
         PREVIOUS_VERSION: ${{ inputs.previous-version }}
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.8.0
+1.8.1
diff --git a/tests/test_release_doc_sync.py b/tests/test_release_doc_sync.py
@@ -690,13 +690,49 @@ def test_steps_follow_drift_check_pattern(self, action_doc):
 
         checkout_step = next(s for s in steps if "actions/checkout" in s.get("uses", ""))
         assert checkout_step["with"]["repository"] == "TMHSDigital/Developer-Tools-Directory"
-        assert checkout_step["with"]["path"] == ".release-doc-sync"
 
         shell_runs = [s.get("run", "") for s in steps if "run" in s]
         assert any("scripts/release_doc_sync/sync.py" in r for r in shell_runs), (
             "no step invokes the sync script"
         )
 
+    def test_meta_repo_checkout_is_outside_workspace(self, action_doc):
+        """v1.8.1 regression guard. The meta-repo checkout MUST land outside
+        GITHUB_WORKSPACE (i.e., under runner.temp), otherwise the caller's
+        release commit step does `git add -A`, picks up the checkout
+        directory, and writes it into the release commit as a 160000-mode
+        gitlink. That polluted every Docker release commit pre-v1.8.1.
+
+        Both the checkout's `path:` and the run step's `working-directory:`
+        must reference runner.temp so they stay in lock-step."""
+        steps = action_doc["runs"]["steps"]
+
+        checkout_step = next(s for s in steps if "actions/checkout" in s.get("uses", ""))
+        checkout_path = checkout_step["with"]["path"]
+        assert "runner.temp" in checkout_path, (
+            f"Meta-repo checkout path must be under ${{{{ runner.temp }}}} to avoid "
+            f"polluting the caller's release commit with a gitlink. "
+            f"Got: {checkout_path!r}. See v1.8.1 / DTD#5 Phase 2b."
+        )
+        assert not checkout_path.startswith("."), (
+            f"Meta-repo checkout path must not be a workspace-relative dotted path "
+            f"(those land inside GITHUB_WORKSPACE). Got: {checkout_path!r}."
+        )
+
+        run_step = next(
+            s for s in steps
+            if s.get("id") == "run" or "sync.py" in s.get("run", "")
+        )
+        wd = run_step.get("working-directory", "")
+        assert "runner.temp" in wd, (
+            f"Run step's working-directory must match the checkout path "
+            f"(both under ${{{{ runner.temp }}}}). Got: {wd!r}."
+        )
+        assert checkout_path == wd, (
+            f"Checkout path and run working-directory must be identical "
+            f"(checkout={checkout_path!r}, working-directory={wd!r})."
+        )
+
     def test_action_does_not_request_github_token(self, action_doc):
         """The action runs inside the caller's release.yml and edits files
         in-place; the caller's existing 'Commit and tag' step picks them
