[upload-sarif@v3] action completely ignore the sha input and using commit hash from checkout_path instead #2807
Description
- Usage:
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-results/fix-paths-cpp.sarif
ref: refs/heads/main
sha: a8e616ed369f7f74173a13c5489dbae89c3b12
checkout_path: /runner/_work/parent-repo/build- Output from action:
request: {
method: 'PUT',
url: 'https://github.com/api/v3/repos/PFO/OpenSIL/code-scanning/analysis',
headers: {
accept: 'application/vnd.github.v3+json',
'user-agent': 'CodeQL-Action/3.22.12 octokit-core.js/3.6.0 Node.js/20.18.0 (linux; x64)',
authorization: 'token [REDACTED]',
'content-type': 'application/json; charset=utf-8'
},
body: '{"commit_oid":"b0b0efb3f489d6c16d35gsfd4b388173h99e1049","ref":"refs/heads/main","analysis_key":".github/workflows/codeql-nightly.yml:codeql","analysis_name":"CodeQL- Nightly","sarif":"..."}'From the output, we can see that it is not actually uploading with the commit_oid that we assigned in the sha input.
Looking at the src code of the upload-sarif action:
- https://github.com/github/codeql-action/blob/main/src/upload-sarif-action.ts#L91
- https://github.com/github/codeql-action/blob/main/src/upload-lib.ts#L605
It is actually using the commit hash sha from the repo under thecheckout_path, which completely ignores theshainput in the action.