Fix lint errors

Agent-Logs-Url: https://github.com/github/codeql-action/sessions/e39d1fb6-4ce3-47c3-9113-e41b111fc8fb

Co-authored-by: oscarsj <1410188+oscarsj@users.noreply.github.com>

package-lock.json

@@ -410,6 +410,15 @@
         "undici": "^6.23.0"
       }
     },
+    "node_modules/@actions/github/node_modules/undici": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
+      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.17"
+      }
+    },
     "node_modules/@actions/glob": {
       "version": "0.5.1",
       "resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.5.1.tgz",
@@ -430,6 +439,15 @@
         "undici": "^6.23.0"
       }
     },
+    "node_modules/@actions/http-client/node_modules/undici": {
+      "version": "6.23.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
+      "integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.17"
+      }
+    },
     "node_modules/@actions/io": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz",
@@ -1476,6 +1494,14 @@
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
       }
     },
+    "node_modules/@fastify/busboy": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
+      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
+      "engines": {
+        "node": ">=14"
+      }
+    },
     "node_modules/@github/browserslist-config": {
       "version": "1.0.0",
       "dev": true,
@@ -9828,12 +9854,14 @@
       }
     },
     "node_modules/undici": {
-      "version": "6.24.1",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
-      "integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
-      "license": "MIT",
+      "version": "5.29.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
+      "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
+      "dependencies": {
+        "@fastify/busboy": "^2.0.0"
+      },
       "engines": {
-        "node": ">=18.17"
+        "node": ">=14.0"
       }
     },
     "node_modules/undici-types": {

package.json

@@ -90,7 +90,6 @@
       "semver": ">=6.3.1"
     },
     "brace-expansion@2.0.1": "2.0.2",
-    "glob": "^11.1.0",
-    "undici": "^6.24.0"
+    "glob": "^11.1.0"
   }
 }

src/api-client.ts

@@ -128,8 +128,6 @@ export async function getGitHubVersionFromApi(
 
   // Doesn't strictly have to be the meta endpoint as we're only
   // using the response headers which are available on every request.
-  //
-  // See https://docs.github.com/en/rest/meta/meta#get-github-meta-information.
   // eslint-disable-next-line @typescript-eslint/no-unsafe-call
   const response = await apiClient.rest.meta.get();
 
@@ -166,9 +164,6 @@ export async function getGitHubVersion(): Promise<GitHubVersion> {
 
 /**
  * Get the path of the currently executing workflow relative to the repository root.
- *
- * See https://docs.github.com/en/rest/actions/workflow-runs#get-a-workflow-run
- * and https://docs.github.com/en/rest/actions/workflows#get-a-workflow.
  */
 export async function getWorkflowRelativePath(): Promise<string> {
   const repo_nwo = getRepositoryNwo();
@@ -257,13 +252,9 @@ export interface ActionsCacheItem {
   size_in_bytes?: number;
 }
 
-/**
- * List all Actions cache entries starting with the provided key prefix and matching the provided ref.
- *
- * See https://docs.github.com/en/rest/actions/cache#list-github-actions-caches-for-a-repository.
- */
+/** List all Actions cache entries matching the provided key and ref. */
 export async function listActionsCaches(
-  keyPrefix: string,
+  key: string,
   ref?: string,
 ): Promise<ActionsCacheItem[]> {
   const repositoryNwo = getRepositoryNwo();
@@ -273,17 +264,13 @@ export async function listActionsCaches(
     {
       owner: repositoryNwo.owner,
       repo: repositoryNwo.repo,
-      key: keyPrefix,
+      key,
       ref,
     },
   );
 }
 
-/**
- * Delete an Actions cache item by its ID.
- *
- * See https://docs.github.com/en/rest/actions/cache#delete-a-github-actions-cache-for-a-repository-using-a-cache-id.
- */
+/** Delete an Actions cache item by its ID. */
 export async function deleteActionsCache(id: number) {
   const repositoryNwo = getRepositoryNwo();
 
@@ -294,11 +281,7 @@ export async function deleteActionsCache(id: number) {
   });
 }
 
-/**
- * Retrieve all custom repository properties.
- *
- * See https://docs.github.com/en/rest/repos/custom-properties#get-all-custom-property-values-for-a-repository.
- */
+/** Retrieve all custom repository properties. */
 export async function getRepositoryProperties(repositoryNwo: RepositoryNwo) {
   return getApiClient().request("GET /repos/:owner/:repo/properties/values", {
     owner: repositoryNwo.owner,

src/git-utils.test.ts

@@ -193,6 +193,94 @@ test.serial(
   },
 );
 
+test.serial(
+  "getRef() returns merge PR ref if GITHUB_SHA still checked out (SHA-256)",
+  async (t) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const expectedRef = "refs/pull/1/merge";
+      const currentSha = "a".repeat(64);
+      process.env["GITHUB_REF"] = expectedRef;
+      process.env["GITHUB_SHA"] = currentSha;
+
+      const callback = sinon.stub(gitUtils, "getCommitOid");
+      callback.withArgs("HEAD").resolves(currentSha);
+
+      const actualRef = await gitUtils.getRef();
+      t.deepEqual(actualRef, expectedRef);
+      callback.restore();
+    });
+  },
+);
+
+test.serial(
+  "getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1) (SHA-256)",
+  async (t) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const expectedRef = "refs/pull/1/merge";
+      process.env["GITHUB_REF"] = expectedRef;
+      process.env["GITHUB_SHA"] = "b".repeat(64);
+      const sha = "a".repeat(64);
+
+      const callback = sinon.stub(gitUtils, "getCommitOid");
+      callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+      callback.withArgs("HEAD").resolves(sha);
+
+      const actualRef = await gitUtils.getRef();
+      t.deepEqual(actualRef, expectedRef);
+      callback.restore();
+    });
+  },
+);
+
+test.serial(
+  "getRef() returns head PR ref if GITHUB_REF no longer checked out (SHA-256)",
+  async (t) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupActionsVars(tmpDir, tmpDir);
+      process.env["GITHUB_REF"] = "refs/pull/1/merge";
+      process.env["GITHUB_SHA"] = "a".repeat(64);
+
+      const callback = sinon.stub(gitUtils, "getCommitOid");
+      callback.withArgs(tmpDir, "refs/pull/1/merge").resolves("a".repeat(64));
+      callback.withArgs(tmpDir, "HEAD").resolves("b".repeat(64));
+
+      const actualRef = await gitUtils.getRef();
+      t.deepEqual(actualRef, "refs/pull/1/head");
+      callback.restore();
+    });
+  },
+);
+
+test.serial(
+  "getRef() returns ref provided as an input and ignores current HEAD (SHA-256)",
+  async (t) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const getAdditionalInputStub = sinon.stub(
+        actionsUtil,
+        "getOptionalInput",
+      );
+      getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+      getAdditionalInputStub.withArgs("sha").resolves("b".repeat(64));
+
+      // These values are be ignored
+      process.env["GITHUB_REF"] = "refs/pull/1/merge";
+      process.env["GITHUB_SHA"] = "a".repeat(64);
+
+      const callback = sinon.stub(gitUtils, "getCommitOid");
+      callback.withArgs("refs/pull/1/merge").resolves("b".repeat(64));
+      callback.withArgs("HEAD").resolves("b".repeat(64));
+
+      const actualRef = await gitUtils.getRef();
+      t.deepEqual(actualRef, "refs/pull/2/merge");
+      callback.restore();
+      getAdditionalInputStub.restore();
+    });
+  },
+);
+
 test.serial("isAnalyzingDefaultBranch()", async (t) => {
   process.env["GITHUB_EVENT_NAME"] = "push";
   process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "true";
@@ -305,6 +393,25 @@ test.serial("determineBaseBranchHeadCommitOid other error", async (t) => {
   infoStub.restore();
 });
 
+test.serial(
+  "determineBaseBranchHeadCommitOid returns baseOid for SHA-256 merge commit",
+  async (t) => {
+    const mergeSha = "a".repeat(64);
+    const baseOid = "b".repeat(64);
+    const headOid = "c".repeat(64);
+
+    process.env["GITHUB_EVENT_NAME"] = "pull_request";
+    process.env["GITHUB_SHA"] = mergeSha;
+
+    sinon
+      .stub(gitUtils as any, "runGitCommand")
+      .resolves(`commit ${mergeSha}\nparent ${baseOid}\nparent ${headOid}\n`);
+
+    const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
+    t.deepEqual(result, baseOid);
+  },
+);
+
 test.serial("decodeGitFilePath unquoted strings", async (t) => {
   t.deepEqual(gitUtils.decodeGitFilePath("foo"), "foo");
   t.deepEqual(gitUtils.decodeGitFilePath("foo bar"), "foo bar");
@@ -482,6 +589,61 @@ test.serial(
   },
 );
 
+test.serial(
+  "getFileOidsUnderPath handles SHA-256 OIDs (64-char)",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      sinon
+        .stub(gitUtils as any, "runGitCommand")
+        .callsFake(async (_cwd: any, args: any) => {
+          if (args[0] === "rev-parse") {
+            return `${tmpDir}\n`;
+          }
+          return (
+            "100644 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab 0\tlib/git-utils.js\n" +
+            "100644 aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899 0\tsrc/git-utils.ts"
+          );
+        });
+
+      const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+
+      t.deepEqual(result, {
+        "lib/git-utils.js":
+          "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab",
+        "src/git-utils.ts":
+          "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899",
+      });
+    });
+  },
+);
+
+test.serial(
+  "getFileOidsUnderPath handles mixed SHA-1 and SHA-256 OIDs",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      sinon
+        .stub(gitUtils as any, "runGitCommand")
+        .callsFake(async (_cwd: any, args: any) => {
+          if (args[0] === "rev-parse") {
+            return `${tmpDir}\n`;
+          }
+          return (
+            "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/sha1-file.js\n" +
+            "100644 aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899 0\tsrc/sha256-file.ts"
+          );
+        });
+
+      const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+
+      t.deepEqual(result, {
+        "lib/sha1-file.js": "30d998ded095371488be3a729eb61d86ed721a18",
+        "src/sha256-file.ts":
+          "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899",
+      });
+    });
+  },
+);
+
 test.serial(
   "getGitVersionOrThrow returns version for valid git output",
   async (t) => {

src/git-utils.ts

@@ -166,8 +166,8 @@ export const determineBaseBranchHeadCommitOid = async function (
     // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
     if (
       commitOid === mergeSha &&
-      headOid.length === 40 &&
-      baseOid.length === 40
+      (headOid.length === 40 || headOid.length === 64) &&
+      (baseOid.length === 40 || baseOid.length === 64)
     ) {
       return baseOid;
     }
@@ -296,7 +296,7 @@ export const getFileOidsUnderPath = async function (
   // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
   // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
   // The fields are: <mode> <oid> <stage>\t<path>
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
   for (const line of stdout.split("\n")) {
     if (line) {
       const match = line.match(regex);

src/overlay/caching.test.ts

@@ -7,7 +7,7 @@ import * as sinon from "sinon";
 
 import * as actionsUtil from "../actions-util";
 import * as apiClient from "../api-client";
-import type { ResolveDatabaseOutput } from "../codeql";
+import { ResolveDatabaseOutput } from "../codeql";
 import * as gitUtils from "../git-utils";
 import { BuiltInLanguage } from "../languages";
 import { getRunnerLogger } from "../logging";
@@ -23,7 +23,6 @@ import {
   downloadOverlayBaseDatabaseFromCache,
   getCacheRestoreKeyPrefix,
   getCacheSaveKey,
-  getCodeQlVersionsForOverlayBaseDatabases,
 } from "./caching";
 import { OverlayDatabaseMode } from "./overlay-database-mode";
 
@@ -286,134 +285,3 @@ test.serial("overlay-base database cache keys remain stable", async (t) => {
     `Expected save key "${saveKey}" to start with restore key prefix "${restoreKeyPrefix}"`,
   );
 });
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases returns unique versions sorted latest first",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-abc123-1-1",
-      },
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.24.1-def456-2-1",
-      },
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-javascript_python-2.23.0-ghi789-3-1",
-      },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["javascript", "python"],
-      logger,
-    );
-    t.deepEqual(result, ["2.24.1", "2.23.0"]);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases returns empty list when no caches exist",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["python"],
-      logger,
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases returns empty list when cache keys are unparseable",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-python-malformed",
-      },
-      { key: undefined },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["python"],
-      logger,
-    );
-    t.deepEqual(result, []);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases returns the single version when only one cache exists",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-cpp-2.25.0-abc123-1-1",
-      },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["cpp"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0"]);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases resolves language aliases",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-    // The alias `c++` should be resolved to "cpp" and match cache entries keyed with "cpp"
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-cpp-2.25.0-abc123-1-1",
-      },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["c++"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0"]);
-  },
-);
-
-test.serial(
-  "getCodeQlVersionsForOverlayBaseDatabases ignores nightly versions with build metadata",
-  async (t) => {
-    const logger = getRunnerLogger(true);
-
-    sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
-    sinon.stub(apiClient, "listActionsCaches").resolves([
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-python-2.25.0-abc123-1-1",
-      },
-      {
-        // Nightly release with semver build metadata; should be ignored.
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-python-2.26.0+202604211234-def456-2-1",
-      },
-      {
-        key: "codeql-overlay-base-database-1-c5666c509a2d9895-python-2.24.0-ghi789-3-1",
-      },
-    ]);
-
-    const result = await getCodeQlVersionsForOverlayBaseDatabases(
-      ["python"],
-      logger,
-    );
-    t.deepEqual(result, ["2.25.0", "2.24.0"]);
-  },
-);

src/overlay/caching.ts

@@ -1,20 +1,18 @@
 import * as fs from "fs";
 
 import * as actionsCache from "@actions/cache";
-import * as semver from "semver";
 
 import {
   getRequiredInput,
   getWorkflowRunAttempt,
   getWorkflowRunID,
 } from "../actions-util";
-import { getAutomationID, listActionsCaches } from "../api-client";
+import { getAutomationID } from "../api-client";
 import { createCacheKeyHash } from "../caching-utils";
 import { type CodeQL } from "../codeql";
 import { type Config } from "../config-utils";
 import { getCommitOid } from "../git-utils";
-import { type Language, parseBuiltInLanguage } from "../languages";
-import { type Logger, withGroupAsync } from "../logging";
+import { Logger, withGroupAsync } from "../logging";
 import {
   CleanupLevel,
   getBaseDatabaseOidsFilePath,
@@ -406,17 +404,7 @@ export async function getCacheRestoreKeyPrefix(
   config: Config,
   codeQlVersion: string,
 ): Promise<string> {
-  return `${await getCacheKeyPrefixBase(config.languages)}${codeQlVersion}-`;
-}
-
-/**
- * Computes the cache key prefix for overlay-base databases, excluding the
- * CodeQL version.
- */
-async function getCacheKeyPrefixBase(
-  parsedLanguages: Language[],
-): Promise<string> {
-  const languagesComponent = [...parsedLanguages].sort().join("_");
+  const languages = [...config.languages].sort().join("_");
 
   const cacheKeyComponents = {
     automationID: await getAutomationID(),
@@ -424,97 +412,17 @@ async function getCacheKeyPrefixBase(
   };
   const componentsHash = createCacheKeyHash(cacheKeyComponents);
 
+  // For a cached overlay-base database to be considered compatible for overlay
+  // analysis, all components in the cache restore key must match:
+  //
   // CACHE_PREFIX: distinguishes overlay-base databases from other cache objects
   // CACHE_VERSION: cache format version
   // componentsHash: hash of additional components (see above for details)
-  // languagesComponent: the languages included in the overlay-base database
+  // languages: the languages included in the overlay-base database
+  // codeQlVersion: CodeQL bundle version
   //
-  // Technically we can also include languages in the componentsHash, but
-  // including them explicitly in the cache key makes it easier to debug and
-  // understand the cache key structure.
-  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languagesComponent}-`;
-}
-
-/**
- * Searches the GitHub Actions cache for overlay-base databases matching the given languages, and
- * returns all stable CodeQL versions found across matching cache entries.
- *
- * Note that we do not guarantee that the cache entry for these versions of CodeQL will still be
- * present by the time we attempt to restore the cache. We could achieve that with a download retry
- * loop, but we expect that if there is sufficient Actions cache contention that an overlay-base
- * cache entry for a particular CodeQL version is evicted before we can use it, then it is likely
- * that the same thing will happen to other overlay-base cache entries, and therefore we will not be
- * able to use overlay.
- *
- * @returns Unique stable CodeQL versions found in cached overlay-base databases, sorted from latest to
- * earliest, or undefined if one of the languages is not a built-in language.
- */
-export async function getCodeQlVersionsForOverlayBaseDatabases(
-  rawLanguages: string[],
-  logger: Logger,
-): Promise<string[] | undefined> {
-  const languages = rawLanguages.map(parseBuiltInLanguage);
-  if (languages.includes(undefined)) {
-    logger.warning(
-      "One or more provided languages are not recognized as built-in languages. " +
-        "Skipping searching for overlay-base databases in cache.",
-    );
-    return undefined;
-  }
-  const cacheKeyPrefix = await getCacheKeyPrefixBase(
-    languages.filter((l) => l !== undefined),
-  );
-
-  logger.debug(
-    `Searching for overlay-base databases in Actions cache with ` +
-      `prefix ${cacheKeyPrefix}`,
-  );
-
-  const caches = await listActionsCaches(cacheKeyPrefix);
-
-  if (caches.length === 0) {
-    logger.info("No overlay-base databases found in Actions cache.");
-    return [];
-  }
-
-  logger.info(
-    `Found ${caches.length} overlay-base ` +
-      `${caches.length === 1 ? "database" : "databases"} in the Actions cache.`,
-  );
-
-  // Parse CodeQL versions from cache keys, matching only stable releases.
-  //
-  // After the prefix, the remaining key format starts with `${codeQlVersion}-`. Nightlies will have
-  // a suffix like `+202604201548` that will break the match.
-  //
-  // Caveat: this relies on the fact that we haven't released any CodeQL bundles with the
-  // `x.y.z-<pre-release>` semver format which does not interact well with the current overlay base
-  // DB cache key format.
-  const versionRegex = /^([\d.]+)-/;
-  const versionSet = new Set<string>();
-
-  for (const cache of caches) {
-    if (!cache.key) continue;
-    const suffix = cache.key.substring(cacheKeyPrefix.length);
-    const match = suffix.match(versionRegex);
-    if (match && semver.valid(match[1])) {
-      versionSet.add(match[1]);
-    }
-  }
-
-  if (versionSet.size === 0) {
-    logger.info(
-      "Could not parse any CodeQL versions from overlay-base database " +
-        "cache keys.",
-    );
-    return [];
-  }
-
-  const versions = [...versionSet].sort(semver.rcompare);
-
-  logger.info(
-    `Found overlay databases for the following CodeQL versions in the Actions cache: ${versions.join(", ")}`,
-  );
-
-  return versions;
+  // Technically we can also include languages and codeQlVersion in the
+  // componentsHash, but including them explicitly in the cache key makes it
+  // easier to debug and understand the cache key structure.
+  return `${CACHE_PREFIX}-${CACHE_VERSION}-${componentsHash}-${languages}-${codeQlVersion}-`;
 }

src/testing-utils.ts

@@ -160,6 +160,9 @@ export const DEFAULT_ACTIONS_VARS = {
   RUNNER_OS: "Linux",
 } as const satisfies Record<string, string>;
 
+/** A 64-character SHA-256 Git OID for use in SHA-256 repository test scenarios. */
+export const SHA256_GITHUB_SHA = "0".repeat(64);
+
 // Sets environment variables that make using some libraries designed for
 // use only on actions safe to use outside of actions.
 export function setupActionsVars(

src/upload-lib.test.ts

@@ -12,7 +12,7 @@ import * as api from "./api-client";
 import * as diffUtils from "./diff-informed-analysis-utils";
 import { getRunnerLogger, Logger } from "./logging";
 import * as sarif from "./sarif";
-import { setupTests } from "./testing-utils";
+import { setupTests, SHA256_GITHUB_SHA } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
 import { UploadPayload } from "./upload-lib/types";
 import { GitHubVariant, initializeEnvironment, withTmpDir } from "./util";
@@ -110,6 +110,35 @@ test.serial(
   },
 );
 
+test.serial(
+  "validate correct payload used for PR merge commit with SHA-256 OIDs",
+  async (t) => {
+    process.env["GITHUB_EVENT_NAME"] = "pull_request";
+    process.env["GITHUB_SHA"] = SHA256_GITHUB_SHA;
+    process.env["GITHUB_BASE_REF"] = "master";
+    process.env["GITHUB_EVENT_PATH"] =
+      `${__dirname}/../src/testdata/pull_request.json`;
+
+    const sha256MergeBase = "b".repeat(64);
+    const prMergePayload: any = uploadLib.buildPayload(
+      SHA256_GITHUB_SHA,
+      "refs/pull/123/merge",
+      "key",
+      undefined,
+      "",
+      1234,
+      1,
+      "/opt/src",
+      undefined,
+      ["CodeQL", "eslint"],
+      sha256MergeBase,
+    );
+    // Uploads for a merge commit use the merge base (SHA-256)
+    t.deepEqual(prMergePayload.base_ref, "refs/heads/master");
+    t.deepEqual(prMergePayload.base_sha, sha256MergeBase);
+  },
+);
+
 test.serial("finding SARIF files", async (t) => {
   await withTmpDir(async (tmpDir) => {
     // include a couple of sarif files