Description
When using the SideRepoOps pattern with a cross-repo checkout as the workspace root (i.e., checking out org/target-repo in a workflow that lives in org/side-repo), create-pull-request with target-repo always fails with:
No changes to commit - no commits found
This happens even when the agent has successfully edited files, run tests, and committed to a local branch in the workspace.
Root Causes
generate_git_patch.cjs has two patch strategies. Both fail in the cross-repo checkout case:
Strategy 1 (branch-based): When the agent passes a branch name:
git show-ref --verify refs/heads/<branch> — succeeds (agent created the branch)git show-ref --verify refs/remotes/origin/<branch> — fails (branch has not been pushed)- Falls back to
git fetch origin <DEFAULT_BRANCH> — fails silently because persist-credentials: false (required by strict mode since v0.47.2) removes the credential helper, and the target repo is private
- Exception propagates to outer catch, Strategy 1 is silently skipped
Strategy 2 (GITHUB_SHA fallback):
GITHUB_SHA is set by the runner to the commit SHA of the workflow repo (the side repo), not the target repo that is checked out- That SHA does not exist in the target repo git history
git merge-base --is-ancestor <wrong-SHA> HEAD throws, Strategy 2 is silently skipped
Additionally, DEFAULT_BRANCH is set via ${{ github.event.repository.default_branch }} which resolves to the workflow repo default branch, not the target repo.
Reproduction
Minimal workflow in org/side-repo:
---
on: workflow_dispatch
engine: copilot
steps:
- name: Checkout target repo
uses: actions/checkout@v6
with:
repository: org/target-repo
token: ${{ secrets.TARGET_PAT }}
persist-credentials: false
fetch-depth: 0
safe-outputs:
github-token: ${{ secrets.TARGET_PAT }}
create-pull-request:
target-repo: "org/target-repo"
base-branch: main
add-comment:
max: 1
target: "*"
target-repo: "org/main-repo
---
Edit files in the workspace, commit to a new branch, then call create_pull_request.The agent will successfully edit/commit, but create_pull_request returns "No changes to commit - no commits found" every time.
Evidence
Tested across 3 workflow runs. In all cases:
- Agent successfully edited files, ran tests (14 passed), committed to a local branch
git log confirmed the commit existed in the workspaceserver.log showed 5 consecutive create_pull_request attempts, all returning "Patch generation failed: No changes to commit - no commits found" in ~200ms eachadd_comment succeeded in the same run (confirming safe outputs infrastructure works)- Agent-generated
git format-patch produced a valid 5-file, 75-line patch (saved as artifact)
Documentation gap
The SideRepoOps pattern shows create-pull-request with target-repo but none of the examples include a checkout step or file editing. This implies cross-repo PRs work out of the box, when in practice they require the target repo to be checked out at the workspace root — and even then, patch generation fails due to the credential/SHA issues described above.
Environment
- gh-aw CLI: v0.47.3
- AWF sandbox: v0.20.2 (chroot mode)
- Engine: copilot (gpt-5.3-codex, v0.0.412)
- MCP Gateway: gh-aw-mcpg v0.1.4
- Private repos, fine-grained PAT
Description
When using the SideRepoOps pattern with a cross-repo checkout as the workspace root (i.e., checking out
org/target-repoin a workflow that lives inorg/side-repo),create-pull-requestwithtarget-repoalways fails with:This happens even when the agent has successfully edited files, run tests, and committed to a local branch in the workspace.
Root Causes
generate_git_patch.cjshas two patch strategies. Both fail in the cross-repo checkout case:Strategy 1 (branch-based): When the agent passes a
branchname:git show-ref --verify refs/heads/<branch>— succeeds (agent created the branch)git show-ref --verify refs/remotes/origin/<branch>— fails (branch has not been pushed)git fetch origin <DEFAULT_BRANCH>— fails silently becausepersist-credentials: false(required by strict mode since v0.47.2) removes the credential helper, and the target repo is privateStrategy 2 (GITHUB_SHA fallback):
GITHUB_SHAis set by the runner to the commit SHA of the workflow repo (the side repo), not the target repo that is checked outgit merge-base --is-ancestor <wrong-SHA> HEADthrows, Strategy 2 is silently skippedAdditionally,
DEFAULT_BRANCHis set via${{ github.event.repository.default_branch }}which resolves to the workflow repo default branch, not the target repo.Reproduction
Minimal workflow in
org/side-repo:--- on: workflow_dispatch engine: copilot steps: - name: Checkout target repo uses: actions/checkout@v6 with: repository: org/target-repo token: ${{ secrets.TARGET_PAT }} persist-credentials: false fetch-depth: 0 safe-outputs: github-token: ${{ secrets.TARGET_PAT }} create-pull-request: target-repo: "org/target-repo" base-branch: main add-comment: max: 1 target: "*" target-repo: "org/main-repo --- Edit files in the workspace, commit to a new branch, then call create_pull_request.The agent will successfully edit/commit, but
create_pull_requestreturns "No changes to commit - no commits found" every time.Evidence
Tested across 3 workflow runs. In all cases:
git logconfirmed the commit existed in the workspaceserver.logshowed 5 consecutivecreate_pull_requestattempts, all returning "Patch generation failed: No changes to commit - no commits found" in ~200ms eachadd_commentsucceeded in the same run (confirming safe outputs infrastructure works)git format-patchproduced a valid 5-file, 75-line patch (saved as artifact)Documentation gap
The SideRepoOps pattern shows
create-pull-requestwithtarget-repobut none of the examples include a checkout step or file editing. This implies cross-repo PRs work out of the box, when in practice they require the target repo to be checked out at the workspace root — and even then, patch generation fails due to the credential/SHA issues described above.Environment