Diff against merge-base in changed-files action

[Matt711]

Summary

The changed-files action passed pr-info.base.sha (current tip of the base branch) as base_sha to step-security/changed-files, which produces a two-dot diff base..head. When the base branch advances after a PR branches, this diff falsely reports upstream-only commits' files as changed in the PR, defeating path-based job filtering in consuming repos.

This switches the comparison to three-dot semantics by computing git merge-base base head first and passing that as base_sha. The calling workflow's checkout is shallow, so we fetch progressively deeper (50 → 6400 commits) until the merge-base is reachable, with a graceful fallback to the original base.sha if it isn't.

Concrete example of the bug

cudf PR #22191 only touches 12 files under python/cudf_polars/**, but the Apr 28 run fired conda-python-cudf-tests, wheel-tests-cudf, wheel-tests-dask-cudf, narwhals-tests, pandas-tests, unit-tests-cudf-pandas, third-party-integration-tests-cudf-pandas, etc. — all of which have if: filters that should have skipped them.

The changed-files job's transformed-output showed every group true:

{"build_docs":true, ..., "neither_cudf_polars_nor_dask_cudf":true, "not_cudf_polars":true, ...}

Reproduced locally on the same SHAs:

Diff	Result
d24f7703fa..bc584d76 (two-dot, current behavior)	73 files — includes cpp/, conda/recipes/, ci/test_cpp.sh, etc.
d24f7703fa...bc584d76 (three-dot, this PR)	12 files, all python/cudf_polars/**

The merge-base resolves to e0769e0d on the first iteration at depth=50.

Test plan

• Verify on a fresh consuming-repo PR that's behind its base branch — only path-relevant jobs should fire.
• Verify on a PR that's up-to-date with main — behavior unchanged (merge-base equals base.sha).
• Verify against a forced very-old PR — depth doubling reaches merge-base or falls back cleanly without error.

🤖 Generated with Claude Code