buildx(build): pin implicit git contexts consistently

[crazy-max]

fixes #1083

This change makes implicit git contexts resolve to the event commit consistently across fragment and query formats. The old behavior already pinned most fragment contexts to the event SHA, but query mode still kept symbolic branch and tag refs with a checksum, which meant a later ref update could fail before BuildKit ever got to the pinned commit.

The current gitContext() logic now treats implicit refs as commit-pinned by default and only preserves a symbolic ref in query mode when the caller explicitly provided a checksum. This keeps the old explicit checksum contract, keeps refs/pull/*/head pinned to the pull request head SHA instead of the merge SHA, and removes the older split where pull request refs had special ad hoc handling while branches and tags followed a different path. The function was also simplified in place so the main concepts are easier to read, namely the explicit checksum, the implicit pinned ref, and the final rendered URL.

The history here matters because the previous fix only addressed refs/pull/* drift, but the real problem was broader. Older code at 3bb4ae3#diff-0cd594dddd6a9f2e3e26afebbb92716434437d7001c2416252aa7531e7f2b8d4L45-L60 collapsed most non-PR refs to the event SHA, which made fragment-style contexts effectively pinned, while newer query-style contexts preserved symbolic refs like refs/heads/* and refs/tags/* together.

[tcely]

It looks like your workflow step could use timeout-minutes:

actions-toolkit/.github/workflows/test.yml

Lines 202 to 220 in 3c03d19

	name: Test
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: |
	const testName = `${{ matrix.test_name }}`;
	let args = ['test:itg-coverage'];
	if (testName) {
	args.push(`--testNamePattern=^${testName} `);
	}
	args.push(`__tests__/${{ matrix.test }}`, `--coverage.reportsDirectory=./coverage`);
	await exec.exec('yarn', args);
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	CTN_BUILDER_NAME: ${{ steps.builder.outputs.name }}
	TEST_FOR_SUMMARY: ${{ secrets.TEST_FOR_SUMMARY }}
	DOCKER_INSTALL_TYPE: ${{ matrix.docker_install_type }}
	DOCKER_INSTALL_VERSION: ${{ matrix.docker_install_version }}
	DOCKER_INSTALL_CHANNEL: ${{ matrix.docker_install_channel }}
	-

I'd add timeout-minutes: 30 to this Test step based on the older logs that I saw.

[crazy-max]

It looks like your workflow step could use timeout-minutes:

actions-toolkit/.github/workflows/test.yml

Lines 202 to 220 in 3c03d19

	name: Test
	uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
	with:
	script: |
	const testName = `${{ matrix.test_name }}`;
	let args = ['test:itg-coverage'];
	if (testName) {
	args.push(`--testNamePattern=^${testName} `);
	}
	args.push(`__tests__/${{ matrix.test }}`, `--coverage.reportsDirectory=./coverage`);
	await exec.exec('yarn', args);
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	CTN_BUILDER_NAME: ${{ steps.builder.outputs.name }}
	TEST_FOR_SUMMARY: ${{ secrets.TEST_FOR_SUMMARY }}
	DOCKER_INSTALL_TYPE: ${{ matrix.docker_install_type }}
	DOCKER_INSTALL_VERSION: ${{ matrix.docker_install_version }}
	DOCKER_INSTALL_CHANNEL: ${{ matrix.docker_install_channel }}
	-

I'd add timeout-minutes: 30 to this Test step based on the older logs that I saw.

Yes agree