Fix update lavamoat policies workflow

The update lavamoat policies workflow was installing dependencies from the `develop` branch rather than the PR. This resulted in invalid policy updates. It has been updated to use the PR branch in each step instead.
Gudahtt · Jun 27, 2023 · 6a73f86 · 6a73f86
1 parent 04839a2
commit 6a73f86
Showing 1 changed file with 15 additions and 9 deletions.
diff --git a/.github/workflows/update-lavamoat-policies.yml b/.github/workflows/update-lavamoat-policies.yml
@@ -27,7 +27,11 @@ jobs:
     # Early exit if this is a fork, since later steps are skipped for forks
     if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout pull request
+        run: gh pr checkout "${PR_NUMBER}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
@@ -42,8 +46,11 @@ jobs:
     needs:
       - prepare
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout pull request
+        run: gh pr checkout "${PR_NUMBER}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}
       - name: Setup Node.js
         uses: actions/setup-node@v3
         with:
@@ -70,8 +77,11 @@ jobs:
     needs:
       - prepare
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
+      - name: Checkout pull request
+        run: gh pr checkout "${PR_NUMBER}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
+          PR_NUMBER: ${{ github.event.issue.number }}
       - name: Setup Node.js
         uses: actions/setup-node@v3
         with:
@@ -99,10 +109,6 @@ jobs:
     # Ensure forks don't get access to the LavaMoat update token
     if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }}
     steps:
-      - uses: actions/checkout@v3
-        with:
-          # Use PAT to ensure that the commit later can trigger status check workflows
-          token: ${{ secrets.LAVAMOAT_UPDATE_TOKEN }}
       - name: Checkout pull request
         run: gh pr checkout "${PR_NUMBER}"
         env: