create action to checkout

.github/actions/checkout/action.yml

@@ -0,0 +1,22 @@
+name: 'Checkout'
+description: 'Checkout. If on a detached HEAD, switching to the branch `new-branch`.'
+runs:
+  using: 'composite'
+  steps:
+    - uses: actions/checkout@v4
+      name: Checkout merge commit
+      with:
+        # We need to fetch all branches and commits so that Nx affected has a base to compare
+        # against.
+        fetch-depth: 0
+
+    - name: Check if the HEAD is detached
+      id: check_head
+      run: |
+        git symbolic-ref -q HEAD > /dev/null 2>&1
+        echo "is_detached=$?" >> "$GITHUB_OUTPUT"
+
+    # Buildx does not work on a detached HEAD
+    - name:
+      if: ${{ steps.check_head.outputs.is_detached }}
+      run: git switch -c new-branch

.github/workflows/sonar-scan.yml

@@ -11,10 +11,6 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, labeled]
 
-env:
-  HEAD_REF: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.ref || github.ref_name }}
-  HEAD_REPOSITORY: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }}
-
 jobs:
   sonar:
     runs-on: ubuntu-latest
@@ -23,15 +19,11 @@ jobs:
         if: ${{ github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'sonar-scan-approved') != true }}
         run: echo "Add the label 'sonar-scan-approved' to this PR to activate Sonar scan"; exit 1
 
-      - uses: actions/checkout@v3
-        name: Checkout ${{ env.HEAD_REPOSITORY }}:${{ env.HEAD_REF }}
-        with:
-          ref: ${{ env.HEAD_REF }}
-          repository: ${{ env.HEAD_REPOSITORY }}
-          fetch-depth: 0
+      - name: Checkout merge commit
+        uses: ./.github/actions/checkout
 
       - name: Derive appropriate SHAs for base and head for `nx affected` commands
-        uses: nrwl/nx-set-shas@v3
+        uses: nrwl/nx-set-shas@v4
 
       - name: Set up the dev container
         env: