From e4d46f20f439094862eedd7e21c5abeefb1721f1 Mon Sep 17 00:00:00 2001
From: Ramon Roche <mrpollo@gmail.com>
Date: Tue, 7 Apr 2026 15:50:45 -0700
Subject: [PATCH] ci(container): add build_ref input to allow dispatch against
 arbitrary refs

The current workflow_dispatch path builds whatever HEAD of the dispatch ref
is, labels the resulting image with px4_version, and publishes. That's
fine for rebuilding current state but it cannot rebuild the exact commit
a release tag points to, because the dispatch loads the workflow file
from one ref and implicitly checks out the same ref for the build.

This matters for release recovery. When the v1.17.0-rc2 tag push failed
to publish containers back on 2026-03-13 (the v1 GHA cache protocol
removal in RunsOn v2.12.0), the tag was not re-pushed, so the only way
to publish rc2 containers now is via workflow_dispatch. Without this
change, a dispatch against release/1.17 builds release/1.17 HEAD and
labels it v1.17.0-rc2, which produces a container whose contents do not
match the rc2 tag's actual code. That is not a faithful recovery.

Add a build_ref input that controls only the checkout ref, defaulting
to empty which falls back to github.ref (preserving current behavior
for both push events and dispatches that omit the input). With this,
a release recovery looks like:

  gh workflow run dev_container.yml --repo PX4/PX4-Autopilot \
    --ref release/1.17 \
    -f px4_version=v1.17.0-rc2 \
    -f build_ref=v1.17.0-rc2 \
    -f deploy_to_registry=true

The workflow loads from release/1.17 HEAD (which has the cache fix
from 39b0568 and the hardening from d74db56a), but the build uses
Tools/setup/Dockerfile from the rc2 tag. The published image has
rc2 contents under the rc2 label, as if the original tag push had
worked.

All three actions/checkout steps (setup, build, deploy) take the same
ref expression so every job sees a consistent workspace. Non-dispatch
events (push, PR) evaluate github.event.inputs.build_ref to empty and
fall back to github.ref exactly as before.

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
---
 .github/workflows/dev_container.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/dev_container.yml b/.github/workflows/dev_container.yml
index 896452d038..9b6af779c1 100644
--- a/.github/workflows/dev_container.yml
+++ b/.github/workflows/dev_container.yml
@@ -24,6 +24,11 @@ on:
         description: 'Container tag (e.g. v1.16.0)'
         required: true
         type: string
+      build_ref:
+        description: 'Git ref to build from (branch, tag, or SHA). Leave empty to build from the dispatch ref.'
+        required: false
+        type: string
+        default: ''
       deploy_to_registry:
         description: 'Whether to push built images to the registry'
         required: false
@@ -48,6 +53,7 @@ jobs:
       - uses: runs-on/action@v2
       - uses: actions/checkout@v5
         with:
+          ref: ${{ github.event.inputs.build_ref || github.ref }}
           fetch-tags: true
           submodules: false
           fetch-depth: 0
@@ -92,6 +98,7 @@ jobs:
       - uses: runs-on/action@v2
       - uses: actions/checkout@v5
         with:
+          ref: ${{ github.event.inputs.build_ref || github.ref }}
           fetch-tags: true
           submodules: false
           fetch-depth: 0
@@ -148,6 +155,7 @@ jobs:
       - uses: runs-on/action@v2
       - uses: actions/checkout@v5
         with:
+          ref: ${{ github.event.inputs.build_ref || github.ref }}
           fetch-tags: true
           submodules: false
           fetch-depth: 0