ci: make agent PR exploration trusted checkout lightweight (#3071)

The "Checkout trusted base scripts" step did a full actions/checkout of this large repo on the self-hosted runner. On a recent run it stalled in the initial `git fetch --depth=1 origin <sha>` for many minutes before the agent script ever started, and the run had to be cancelled. The trusted host side only needs the self-contained `.github/scripts/agent-pr-explore-sandbox.sh`; PR code is checked out inside Docker and PR context is gathered via the API. Replace the full checkout with a single-file fetch via `gh api` (raw), pinned to the same trusted base/dispatch commit, which avoids the git-protocol fetch of the whole repo entirely. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-31 19:04:39 +07:00 · 2026-05-27 12:18:19 +08:00 · 2026-05-27 12:18:19 +08:00 · 80639d4da4
commit 80639d4da4
parent 324d56a74b
1 changed files with 19 additions and 5 deletions
--- a/.github/workflows/agent-pr-explore-sandbox.yml
+++ b/.github/workflows/agent-pr-explore-sandbox.yml
@ -28,11 +28,25 @@ jobs:
    timeout-minutes: 45

    steps:
-      - name: Checkout trusted base scripts
-        uses: actions/checkout@v6.0.2
-        with:
-          ref: ${{ github.event.pull_request.base.sha || github.sha }}
-          persist-credentials: false
+      - name: Fetch trusted base script
+        # Only the self-contained sandbox script is needed on the trusted host;
+        # PR code is checked out inside Docker. A full actions/checkout of this
+        # large repo stalled on the self-hosted runner before the agent ever
+        # ran, so fetch just the one trusted file via the API instead. The ref
+        # is pinned to the trusted base/dispatch commit, never PR head.
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TRUSTED_REF: ${{ github.event.pull_request.base.sha || github.sha }}
+        run: |
+          set -euo pipefail
+          mkdir -p .github/scripts
+          gh api \
+            -H 'Accept: application/vnd.github.raw' \
+            "repos/$GITHUB_REPOSITORY/contents/.github/scripts/agent-pr-explore-sandbox.sh?ref=$TRUSTED_REF" \
+            > .github/scripts/agent-pr-explore-sandbox.sh
+          chmod +x .github/scripts/agent-pr-explore-sandbox.sh
+          echo "Fetched trusted agent-pr-explore-sandbox.sh at $TRUSTED_REF"

      - name: Resolve PR metadata
        id: pr