fix: use token for git auth inside Docker container

actions/checkout@v5 stores credentials in $RUNNER_TEMP which is not
mounted into the Docker container. Instead of requiring a pre-fetch
step in the workflow, we now inject the token into the remote URL
so git operations work inside the container.

Workflow no longer needs the 'Fetch base branch' pre-step.

scripts/review.sh

@@ -73,30 +73,67 @@ echo "::endgroup::"
 # ─── Phase 2: Generate diff ───────────────────────────────────────────────────
 echo "::group::Generate diff"
 
-# actions/checkout for PRs only fetches the PR ref (refs/pull/N/head).
+# Configure git auth using the provided token, so we can fetch inside Docker.
-# It does NOT create remote tracking branches like origin/main.
+# actions/checkout@v5 stores credentials in $RUNNER_TEMP which isn't mounted
-# We must explicitly fetch the base branch.
+# into the container, so we re-authenticate using the token input.
-
+if [ -n "${PI_TOKEN}" ]; then
-# Unshallow if needed (fetch-depth: 0 already does this, but be safe)
+  REMOTE_URL=$(git remote get-url origin 2>/dev/null || echo "")
-git fetch --unshallow origin 2>/dev/null || true
+  if echo "$REMOTE_URL" | grep -q '://'; then
-
+    # HTTP(S) remote: inject token into URL
-# Fetch base branch with explicit refspec to ensure origin/main exists
+    # e.g. https://git.example.com/owner/repo.git → https://token:xxx@git.example.com/owner/repo.git
-if git fetch origin refs/heads/main:refs/remotes/origin/main 2>/dev/null; then
+    PROTOCOL=$(echo "$REMOTE_URL" | sed -E 's|^(https?://).*|\1|')
-  BASE="origin/main"
+    HOST_PATH=$(echo "$REMOTE_URL" | sed -E 's|^https?://||')
-elif git fetch origin refs/heads/master:refs/remotes/origin/master 2>/dev/null; then
+    git remote set-url origin "${PROTOCOL}token:${PI_TOKEN}@${HOST_PATH}"
-  BASE="origin/master"
+    echo "Git auth configured via remote URL"
-else
-  # Fallback: try Gitea/GitHub event context for the target branch
-  TARGET_BRANCH="${GITEA_BASE_REF:-${GITHUB_BASE_REF:-}}"
-  if [ -n "${TARGET_BRANCH}" ] && git fetch origin "refs/heads/${TARGET_BRANCH}:refs/remotes/origin/${TARGET_BRANCH}" 2>/dev/null; then
-    BASE="origin/${TARGET_BRANCH}"
-  else
-    echo "::warning::Could not fetch base branch. Trying origin/HEAD."
-    git fetch origin 2>/dev/null || true
-    BASE="origin/HEAD"
   fi
 fi
 
+# Now find the base branch. With auth configured, fetch should work.
+BASE=""
+
+# 1. Check if remote tracking refs already exist (from a pre-step)
+for candidate in origin/main origin/master; do
+  if git rev-parse --verify "$candidate" >/dev/null 2>&1; then
+    BASE="$candidate"
+    echo "Found existing ref: ${BASE}"
+    break
+  fi
+done
+
+# 2. Try Gitea/GitHub event context for target branch name
+if [ -z "$BASE" ]; then
+  TARGET_BRANCH="${GITEA_BASE_REF:-${GITHUB_BASE_REF:-}}"
+  if [ -n "${TARGET_BRANCH}" ] && git rev-parse --verify "origin/${TARGET_BRANCH}" >/dev/null 2>&1; then
+    BASE="origin/${TARGET_BRANCH}"
+    echo "Found target branch from event: ${BASE}"
+  fi
+fi
+
+# 3. Fetch the base branch (now works with auth)
+if [ -z "$BASE" ]; then
+  echo "No base ref found locally. Fetching..."
+  git fetch --unshallow origin 2>/dev/null || true
+  for branch in main master; do
+    if git fetch origin "+refs/heads/${branch}:refs/remotes/origin/${branch}" 2>/dev/null; then
+      BASE="origin/${branch}"
+      echo "Fetched: ${BASE}"
+      break
+    fi
+  done
+  # Also try the target branch from event context
+  if [ -z "$BASE" ] && [ -n "${TARGET_BRANCH}" ]; then
+    if git fetch origin "+refs/heads/${TARGET_BRANCH}:refs/remotes/origin/${TARGET_BRANCH}" 2>/dev/null; then
+      BASE="origin/${TARGET_BRANCH}"
+      echo "Fetched target: ${BASE}"
+    fi
+  fi
+fi
+
+if [ -z "$BASE" ]; then
+  echo "::error::Could not determine base branch. Ensure 'token' input has repo read access."
+  exit 1
+fi
+
 echo "Base ref: ${BASE} -> $(git rev-parse --short "${BASE}" 2>/dev/null || echo 'NOT FOUND')"
 echo "HEAD:     $(git rev-parse --short HEAD)"
 echo "Files changed:"