fix(ci): Pin all checkouts to triggering workflow_run commit in deploy-frontend.yml

[github-actions]

Summary

On workflow_run-triggered jobs, github.sha points to the default branch HEAD — not the commit that passed the upstream workflow. This causes actions/checkout to check out a different revision than what was tested, allowing a build-one-commit/deploy-another-manifests scenario.

Affected file

.github/workflows/deploy-frontend.yml — lines 64-67, 105-106, 121-123, 185-187

Required fix

Use github.event.workflow_run.head_sha as the ref input on every actions/checkout step and for the org.opencontainers.image.revision OCI label:

- uses: actions/checkout@v6
  with:
    fetch-depth: 0
    ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}

References

• PR Phase 16: Remaining widgets, role-based UI, frontend tests #361 review: Phase 16: Remaining widgets, role-based UI, frontend tests #361 (comment)
• Severity: 🔴 Critical

[blocksorg]

Mention Blocks like a regular teammate with your question or request:

@blocks can you add technical details to this issue?
@blocks make the following changes ...
@blocks create an issue from what was mentioned in the following comment ...
@blocks explain the following code ...
@blocks are there any security or performance concerns?

Run @blocks /help for more information.

Workspace settings | Disable this message