From e75859c67aa8ca6ce9aeb4c759462e2fdb93a8a9 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Thu, 14 May 2026 05:58:37 +0000
Subject: [PATCH] fix: resolve BASE_REF from PR API on pull_request_review
 events

BASE_REF is empty on pull_request_review events since github.base_ref
is only populated on pull_request events. The empty string hit the
case * wildcard and silently passed the promotion gate.

Add a fallback that fetches .base.ref from the PR API when BASE_REF
is empty but a PR_NUMBER is available.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/dual-approval-check.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/dual-approval-check.yaml b/.github/workflows/dual-approval-check.yaml
index d759e70..b4aa7d9 100644
--- a/.github/workflows/dual-approval-check.yaml
+++ b/.github/workflows/dual-approval-check.yaml
@@ -29,6 +29,14 @@ jobs:
 
           echo "Checking promotion gate for PR #${PR_NUMBER} targeting ${BASE_REF} in ${REPO}"
 
+          if [ -z "${BASE_REF}" ] && [ -n "${PR_NUMBER}" ] && [ "${PR_NUMBER}" != "null" ]; then
+            BASE_REF=$(curl -sf \
+              -H "Authorization: Bearer ${GH_TOKEN}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref')
+            echo "BASE_REF was empty; resolved from PR #${PR_NUMBER} API: ${BASE_REF}"
+          fi
+
           # Determine required reviewer based on target branch
           case "${BASE_REF}" in
             dev)