From c9ca191daea99efe007fffabeb7476204401bffb Mon Sep 17 00:00:00 2001
From: Nat Dean-Lewis <nat.dean-lewis@softwire.com>
Date: Wed, 11 Mar 2026 15:57:51 +0000
Subject: [PATCH] CLDC-4136: don't allow manual teardown to avoid unnecessary
 edge cases

---
 .../workflows/manual_review_code_pipeline.yml | 20 ++++++++++++++++++
 .github/workflows/review_pipeline.yml         | 21 +++++--------------
 2 files changed, 25 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/manual_review_code_pipeline.yml b/.github/workflows/manual_review_code_pipeline.yml
index 561c06b76..f3ab9a3dd 100644
--- a/.github/workflows/manual_review_code_pipeline.yml
+++ b/.github/workflows/manual_review_code_pipeline.yml
@@ -16,8 +16,27 @@ defaults:
     shell: bash
 
 jobs:
+  get_pr_head_sha:
+    name: Get PR HEAD SHA
+    runs-on: ubuntu-latest
+    outputs:
+      pr_head_sha: ${{ steps.get_sha.outputs.pr_head_sha }}
+    steps:
+      - name: Get PR HEAD SHA
+        id: get_sha
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: parseInt('${{ inputs.pr_number }}'),
+            });
+            core.setOutput('pr_head_sha', pr.head.sha);
+
   code:
     name: Deploy review app code
+    needs: [get_pr_head_sha]
     uses: ./.github/workflows/aws_deploy.yml
     with:
       aws_account_id: 837698168072
@@ -25,5 +44,6 @@ jobs:
       aws_task_prefix: core-review-${{ inputs.pr_number }}
       concurrency_tag: ${{ inputs.pr_number }}
       environment: review
+      ref: ${{ needs.get_pr_head_sha.outputs.pr_head_sha }}
     permissions:
       id-token: write
diff --git a/.github/workflows/review_pipeline.yml b/.github/workflows/review_pipeline.yml
index 85271a3e7..13b1fbf54 100644
--- a/.github/workflows/review_pipeline.yml
+++ b/.github/workflows/review_pipeline.yml
@@ -53,7 +53,7 @@ jobs:
     needs: [get_pr_details]
     runs-on: ubuntu-latest
     permissions:
-      actions: read
+      pull-requests: read
     outputs:
       started: ${{ steps.check.outputs.started }}
     steps:
@@ -63,24 +63,13 @@ jobs:
         with:
           script: |
             const prNumber = '${{ needs.get_pr_details.outputs.pr_number }}';
-            const { data: runs } = await github.rest.actions.listWorkflowRuns({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'review_pipeline.yml',
-              event: 'issue_comment',
-            });
-            const { data: dispatchRuns } = await github.rest.actions.listWorkflowRuns({
+            const { data: comments } = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              workflow_id: 'review_pipeline.yml',
-              event: 'workflow_dispatch',
+              issue_number: parseInt(prNumber),
             });
-            const allRuns = [...runs.workflow_runs, ...dispatchRuns.workflow_runs];
-            const prRun = allRuns.find(run =>
-              run.display_title.includes(`#${prNumber}`) ||
-              run.head_branch === context.payload.pull_request.head.ref
-            );
-            core.setOutput('started', prRun ? 'true' : 'false');
+            const deployComment = comments.find(c => c.body === 'Starting review app deployment...');
+            core.setOutput('started', deployComment ? 'true' : 'false');
 
   deployment_started_comment:
     name: Comment deployment started