From d34cbbead75daf1c5db0aa80d3ed63099e2f014a Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Tue, 3 Oct 2023 09:29:04 -0400
Subject: [PATCH] [VAULT-20630] CI: Fix the CI workflow issue where we check
 out base ref instead of the ref that triggered the workflow run (#23453)
 (#23454)

Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
---
 .github/workflows/ci.yml      | 12 ++++++++++++
 .github/workflows/test-go.yml |  9 +++++++++
 2 files changed, 21 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 23aaaa0a00..aaf42f0020 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,7 @@ jobs:
       compute-xlarge: ${{ steps.setup-outputs.outputs.compute-xlarge }}
       enterprise: ${{ steps.setup-outputs.outputs.enterprise }}
       go-tags: ${{ steps.setup-outputs.outputs.go-tags }}
+      checkout-ref: ${{ steps.checkout-ref-output.outputs.checkout-ref }}
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: setup-outputs
@@ -59,6 +60,14 @@ jobs:
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
           no-restore: true # don't download them on a cache hit
+      # control checking out head instead of ref by a GH label
+      # if checkout-head label is added to a PR, checkout HEAD otherwise checkout ref
+      - if: ${{ !contains(github.event.pull_request.labels.*.name, 'checkout-head') }}
+        run: echo "CHECKOUT_REF=${{ github.ref }}" >> "$GITHUB_ENV"
+      - if: ${{ contains(github.event.pull_request.labels.*.name, 'checkout-head') }}
+        run: echo "CHECKOUT_REF=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_ENV"
+      - id: checkout-ref-output
+        run: echo "checkout-ref=${{ env.CHECKOUT_REF }}" >> "$GITHUB_OUTPUT"
 
   diff-oss-ci:
     name: Diff OSS
@@ -117,6 +126,7 @@ jobs:
       go-tags: '${{ needs.setup.outputs.go-tags }},deadlock'
       runs-on: ${{ needs.setup.outputs.compute-large }}
       enterprise: ${{ needs.setup.outputs.enterprise }}
+      checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
     secrets: inherit
 
   test-go-race:
@@ -142,6 +152,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-large }}
       enterprise: ${{ needs.setup.outputs.enterprise }}
       name: "race"
+      checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
     secrets: inherit
 
   test-go-fips:
@@ -167,6 +178,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-large }}
       enterprise: ${{ needs.setup.outputs.enterprise }}
       name: "fips"
+      checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
     secrets: inherit
 
   test-ui:
diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml
index 7f63ea719a..889f914bfa 100644
--- a/.github/workflows/test-go.yml
+++ b/.github/workflows/test-go.yml
@@ -52,6 +52,11 @@ on:
         required: false
         default: 60
         type: number
+      checkout-ref:
+        description: The ref to use for checkout.
+        required: false
+        default: ${{ github.base_ref }}
+        type: string
 
 env: ${{ fromJSON(inputs.env-vars) }}
 
@@ -63,6 +68,8 @@ jobs:
     runs-on: ${{ fromJSON(inputs.runs-on) }}
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ inputs.checkout-ref }}
       - uses: ./.github/actions/set-up-go
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
@@ -172,6 +179,8 @@ jobs:
       TIMEOUT_IN_MINUTES: ${{ inputs.timeout-minutes }}
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ inputs.checkout-ref }}
       - uses: ./.github/actions/set-up-go
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}