fix: use token for git auth inside Docker container

actions/checkout@v5 stores credentials in $RUNNER_TEMP which is not
mounted into the Docker container. Instead of requiring a pre-fetch
step in the workflow, we now inject the token into the remote URL
so git operations work inside the container.

Workflow no longer needs the 'Fetch base branch' pre-step.

scripts/review.sh

@@ -73,13 +73,25 @@ echo "::endgroup::"
 # ─── Phase 2: Generate diff ───────────────────────────────────────────────────
 echo "::group::Generate diff"
 
-# Find the base branch.
+# Configure git auth using the provided token, so we can fetch inside Docker.
-# Strategy: check if remote tracking refs already exist (from a pre-step),
+# actions/checkout@v5 stores credentials in $RUNNER_TEMP which isn't mounted
-# then try Gitea/GitHub event context, then try fetching (may fail without auth).
+# into the container, so we re-authenticate using the token input.
+if [ -n "${PI_TOKEN}" ]; then
+  REMOTE_URL=$(git remote get-url origin 2>/dev/null || echo "")
+  if echo "$REMOTE_URL" | grep -q '://'; then
+    # HTTP(S) remote: inject token into URL
+    # e.g. https://git.example.com/owner/repo.git → https://token:xxx@git.example.com/owner/repo.git
+    PROTOCOL=$(echo "$REMOTE_URL" | sed -E 's|^(https?://).*|\1|')
+    HOST_PATH=$(echo "$REMOTE_URL" | sed -E 's|^https?://||')
+    git remote set-url origin "${PROTOCOL}token:${PI_TOKEN}@${HOST_PATH}"
+    echo "Git auth configured via remote URL"
+  fi
+fi
 
+# Now find the base branch. With auth configured, fetch should work.
 BASE=""
 
-# 1. Check if remote tracking refs already exist (e.g., workflow pre-fetch step)
+# 1. Check if remote tracking refs already exist (from a pre-step)
 for candidate in origin/main origin/master; do
   if git rev-parse --verify "$candidate" >/dev/null 2>&1; then
     BASE="$candidate"
@@ -88,7 +100,7 @@ for candidate in origin/main origin/master; do
   fi
 done
 
-# 2. Try Gitea/GitHub event context for target branch
+# 2. Try Gitea/GitHub event context for target branch name
 if [ -z "$BASE" ]; then
   TARGET_BRANCH="${GITEA_BASE_REF:-${GITHUB_BASE_REF:-}}"
   if [ -n "${TARGET_BRANCH}" ] && git rev-parse --verify "origin/${TARGET_BRANCH}" >/dev/null 2>&1; then
@@ -97,20 +109,28 @@ if [ -z "$BASE" ]; then
   fi
 fi
 
-# 3. Last resort: try to fetch (will likely fail inside Docker without auth)
+# 3. Fetch the base branch (now works with auth)
 if [ -z "$BASE" ]; then
-  echo "::warning::No base ref found locally. Attempting fetch (may fail without auth)..."
+  echo "No base ref found locally. Fetching..."
   git fetch --unshallow origin 2>/dev/null || true
   for branch in main master; do
-    if git fetch origin "refs/heads/${branch}:refs/remotes/origin/${branch}" 2>/dev/null; then
+    if git fetch origin "+refs/heads/${branch}:refs/remotes/origin/${branch}" 2>/dev/null; then
       BASE="origin/${branch}"
+      echo "Fetched: ${BASE}"
       break
     fi
   done
+  # Also try the target branch from event context
+  if [ -z "$BASE" ] && [ -n "${TARGET_BRANCH}" ]; then
+    if git fetch origin "+refs/heads/${TARGET_BRANCH}:refs/remotes/origin/${TARGET_BRANCH}" 2>/dev/null; then
+      BASE="origin/${TARGET_BRANCH}"
+      echo "Fetched target: ${BASE}"
+    fi
+  fi
 fi
 
 if [ -z "$BASE" ]; then
-  echo "::error::Could not determine base branch. Add a 'Fetch base branch' step before this action: git fetch origin refs/heads/main:refs/remotes/origin/main"
+  echo "::error::Could not determine base branch. Ensure 'token' input has repo read access."
   exit 1
 fi