From 5d70de76189a8f54745157f3650ba987303fc717 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@mozilla.com>
Date: Thu, 12 Feb 2026 10:24:57 +0100
Subject: [PATCH] fix(template): pass full ref names in decision task's
 environment

Chain-of-trust verification uses the {BASE,HEAD}_REF variables to
reconstruct the template in which to evaluate .taskcluster.yml, so they
need to match what was passed initially, which in the github-push case
is the full refs/{heads,tags}/foo name.
---
 template/{{cookiecutter.project_name}}/taskcluster.github.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/template/{{cookiecutter.project_name}}/taskcluster.github.yml b/template/{{cookiecutter.project_name}}/taskcluster.github.yml
index 97272a98e..a626d2ed9 100644
--- a/template/{{cookiecutter.project_name}}/taskcluster.github.yml
+++ b/template/{{cookiecutter.project_name}}/taskcluster.github.yml
@@ -202,10 +202,10 @@ tasks:
                               # `taskgraph decision` are all on the command line.
                               $merge:
                                   - ${normProjectUpper}_BASE_REPOSITORY: '${baseRepoUrl}'
-                                    ${normProjectUpper}_BASE_REF: '${short_base_ref}'
+                                    ${normProjectUpper}_BASE_REF: '${base_ref}'
                                     ${normProjectUpper}_BASE_REV: '${base_sha}'
                                     ${normProjectUpper}_HEAD_REPOSITORY: '${repoUrl}'
-                                    ${normProjectUpper}_HEAD_REF: '${short_head_ref}'
+                                    ${normProjectUpper}_HEAD_REF: '${head_ref}'
                                     ${normProjectUpper}_HEAD_REV: '${head_sha}'
                                     ${normProjectUpper}_REPOSITORY_TYPE: git
                                     REPOSITORIES: