From 95b8083fa39da4aaf38f1c42ab390d14344c1566 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Mon, 5 Jan 2026 12:25:49 -0500 Subject: [PATCH] Improve commit SHA retrieval by prioritizing user input when provided 1. Checks for sha input first, If the user explicitly sets sha in the analyze or upload-sarif action, that value is used immediately 2. Falls back to git - If no sha input, runs git rev-parse as before 3. Final fallback to GITHUB_SHA - If git fails, uses the environment variable --- src/git-utils.ts | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/git-utils.ts b/src/git-utils.ts index eb9d8c695e..1af9c5416c 100644 --- a/src/git-utils.ts +++ b/src/git-utils.ts @@ -96,6 +96,15 @@ export const getCommitOid = async function ( checkoutPath: string, ref = "HEAD", ): Promise { + // If the user explicitly provides a SHA via the action input, use that. + // This is important when the checkout path contains a different repository + // than the one where results should be uploaded (e.g., when cloning another + // repo for analysis). + const shaInput = getOptionalInput("sha"); + if (shaInput) { + return shaInput; + } + // Try to use git to get the current commit SHA. If that fails then // log but otherwise silently fall back to using the SHA from the environment. // The only time these two values will differ is during analysis of a PR when @@ -107,11 +116,11 @@ export const getCommitOid = async function ( const stdout = await runGitCommand( checkoutPath, ["rev-parse", ref], - "Continuing with commit SHA from user input or environment.", + "Continuing with commit SHA from environment.", ); return stdout.trim(); } catch { - return getOptionalInput("sha") || getRequiredEnvParam("GITHUB_SHA"); + return getRequiredEnvParam("GITHUB_SHA"); } };