Fix lint errors

Support SHA-256 Git object hashes in git-utils and tests
Agent-Logs-Url: https://github.com/github/codeql-action/sessions/e39d1fb6-4ce3-47c3-9113-e41b111fc8fb Co-authored-by: oscarsj <1410188+oscarsj@users.noreply.github.com>
2026-05-09 15:20:28 +00:00 · 2026-05-06 17:30:02 +02:00 · 2026-05-04 15:53:11 +00:00 · 2026-05-04 15:43:19 +00:00 · 2026-05-01 14:34:01 +00:00 · 2026-05-01 14:09:49 +00:00
19 changed files with 230 additions and 32 deletions
@@ -2,6 +2,10 @@

 See the [releases page](https://github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs.

+## [UNRELEASED]
+
+No user facing changes.
+
 ## 4.35.3 - 01 May 2026

 - _Upcoming breaking change_: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#3837](https://github.com/github/codeql-action/pull/3837)
@@ -161813,7 +161813,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -162463,7 +162463,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -106982,7 +106982,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -107998,7 +107998,7 @@ var determineBaseBranchHeadCommitOid = async function(checkoutPathOverride) {
        }
      }
    }
-    if (commitOid === mergeSha && headOid.length === 40 && baseOid.length === 40) {
+    if (commitOid === mergeSha && (headOid.length === 40 || headOid.length === 64) && (baseOid.length === 40 || baseOid.length === 64)) {
      return baseOid;
    }
    return void 0;
@@ -108064,7 +108064,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -103787,7 +103787,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -104517,7 +104517,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -164923,7 +164923,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -165917,7 +165917,7 @@ var determineBaseBranchHeadCommitOid = async function(checkoutPathOverride) {
        }
      }
    }
-    if (commitOid === mergeSha && headOid.length === 40 && baseOid.length === 40) {
+    if (commitOid === mergeSha && (headOid.length === 40 || headOid.length === 64) && (baseOid.length === 40 || baseOid.length === 64)) {
      return baseOid;
    }
    return void 0;
@@ -165983,7 +165983,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -104341,7 +104341,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -105595,7 +105595,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -103795,7 +103795,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -104510,7 +104510,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -103882,7 +103882,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -104358,7 +104358,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -161760,7 +161760,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
@@ -120992,7 +120992,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -106688,7 +106688,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -107606,7 +107606,7 @@ var determineBaseBranchHeadCommitOid = async function(checkoutPathOverride) {
        }
      }
    }
-    if (commitOid === mergeSha && headOid.length === 40 && baseOid.length === 40) {
+    if (commitOid === mergeSha && (headOid.length === 40 || headOid.length === 64) && (baseOid.length === 40 || baseOid.length === 64)) {
      return baseOid;
    }
    return void 0;
@@ -107672,7 +107672,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -161760,7 +161760,7 @@ function getTemporaryDirectory() {
  return value !== void 0 && value !== "" ? value : getRequiredEnvParam("RUNNER_TEMP");
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 var persistedInputsKey = "persisted_inputs";
 var restoreInputs = function() {
@@ -106716,7 +106716,7 @@ function getDiffRangesJsonFilePath() {
  return path2.join(getTemporaryDirectory(), PR_DIFF_RANGE_JSON_FILENAME);
 }
 function getActionVersion() {
-  return "4.35.3";
+  return "4.35.4";
 }
 function getWorkflowEventName() {
  return getRequiredEnvParam("GITHUB_EVENT_NAME");
@@ -107277,7 +107277,7 @@ var determineBaseBranchHeadCommitOid = async function(checkoutPathOverride) {
        }
      }
    }
-    if (commitOid === mergeSha && headOid.length === 40 && baseOid.length === 40) {
+    if (commitOid === mergeSha && (headOid.length === 40 || headOid.length === 64) && (baseOid.length === 40 || baseOid.length === 64)) {
      return baseOid;
    }
    return void 0;
@@ -107343,7 +107343,7 @@ var getFileOidsUnderPath = async function(basePath) {
    "Cannot list Git OIDs of tracked files."
  );
  const fileOidMap = {};
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -1,12 +1,12 @@
 {
  "name": "codeql",
-  "version": "4.35.3",
+  "version": "4.35.4",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "codeql",
-      "version": "4.35.3",
+      "version": "4.35.4",
      "license": "MIT",
      "workspaces": [
        "pr-checks"
@@ -1,6 +1,6 @@
 {
  "name": "codeql",
-  "version": "4.35.3",
+  "version": "4.35.4",
  "private": true,
  "description": "CodeQL action",
  "scripts": {
@@ -193,6 +193,94 @@ test.serial(
  },
 );

+test.serial(
+  "getRef() returns merge PR ref if GITHUB_SHA still checked out (SHA-256)",
+  async (t) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const expectedRef = "refs/pull/1/merge";
+      const currentSha = "a".repeat(64);
+      process.env["GITHUB_REF"] = expectedRef;
+      process.env["GITHUB_SHA"] = currentSha;
+
+      const callback = sinon.stub(gitUtils, "getCommitOid");
+      callback.withArgs("HEAD").resolves(currentSha);
+
+      const actualRef = await gitUtils.getRef();
+      t.deepEqual(actualRef, expectedRef);
+      callback.restore();
+    });
+  },
+);
+
+test.serial(
+  "getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1) (SHA-256)",
+  async (t) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const expectedRef = "refs/pull/1/merge";
+      process.env["GITHUB_REF"] = expectedRef;
+      process.env["GITHUB_SHA"] = "b".repeat(64);
+      const sha = "a".repeat(64);
+
+      const callback = sinon.stub(gitUtils, "getCommitOid");
+      callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+      callback.withArgs("HEAD").resolves(sha);
+
+      const actualRef = await gitUtils.getRef();
+      t.deepEqual(actualRef, expectedRef);
+      callback.restore();
+    });
+  },
+);
+
+test.serial(
+  "getRef() returns head PR ref if GITHUB_REF no longer checked out (SHA-256)",
+  async (t) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupActionsVars(tmpDir, tmpDir);
+      process.env["GITHUB_REF"] = "refs/pull/1/merge";
+      process.env["GITHUB_SHA"] = "a".repeat(64);
+
+      const callback = sinon.stub(gitUtils, "getCommitOid");
+      callback.withArgs(tmpDir, "refs/pull/1/merge").resolves("a".repeat(64));
+      callback.withArgs(tmpDir, "HEAD").resolves("b".repeat(64));
+
+      const actualRef = await gitUtils.getRef();
+      t.deepEqual(actualRef, "refs/pull/1/head");
+      callback.restore();
+    });
+  },
+);
+
+test.serial(
+  "getRef() returns ref provided as an input and ignores current HEAD (SHA-256)",
+  async (t) => {
+    await withTmpDir(async (tmpDir: string) => {
+      setupActionsVars(tmpDir, tmpDir);
+      const getAdditionalInputStub = sinon.stub(
+        actionsUtil,
+        "getOptionalInput",
+      );
+      getAdditionalInputStub.withArgs("ref").resolves("refs/pull/2/merge");
+      getAdditionalInputStub.withArgs("sha").resolves("b".repeat(64));
+
+      // These values are be ignored
+      process.env["GITHUB_REF"] = "refs/pull/1/merge";
+      process.env["GITHUB_SHA"] = "a".repeat(64);
+
+      const callback = sinon.stub(gitUtils, "getCommitOid");
+      callback.withArgs("refs/pull/1/merge").resolves("b".repeat(64));
+      callback.withArgs("HEAD").resolves("b".repeat(64));
+
+      const actualRef = await gitUtils.getRef();
+      t.deepEqual(actualRef, "refs/pull/2/merge");
+      callback.restore();
+      getAdditionalInputStub.restore();
+    });
+  },
+);
+
 test.serial("isAnalyzingDefaultBranch()", async (t) => {
  process.env["GITHUB_EVENT_NAME"] = "push";
  process.env["CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH"] = "true";
@@ -305,6 +393,25 @@ test.serial("determineBaseBranchHeadCommitOid other error", async (t) => {
  infoStub.restore();
 });

+test.serial(
+  "determineBaseBranchHeadCommitOid returns baseOid for SHA-256 merge commit",
+  async (t) => {
+    const mergeSha = "a".repeat(64);
+    const baseOid = "b".repeat(64);
+    const headOid = "c".repeat(64);
+
+    process.env["GITHUB_EVENT_NAME"] = "pull_request";
+    process.env["GITHUB_SHA"] = mergeSha;
+
+    sinon
+      .stub(gitUtils as any, "runGitCommand")
+      .resolves(`commit ${mergeSha}\nparent ${baseOid}\nparent ${headOid}\n`);
+
+    const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
+    t.deepEqual(result, baseOid);
+  },
+);
+
 test.serial("decodeGitFilePath unquoted strings", async (t) => {
  t.deepEqual(gitUtils.decodeGitFilePath("foo"), "foo");
  t.deepEqual(gitUtils.decodeGitFilePath("foo bar"), "foo bar");
@@ -482,6 +589,61 @@ test.serial(
  },
 );

+test.serial(
+  "getFileOidsUnderPath handles SHA-256 OIDs (64-char)",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      sinon
+        .stub(gitUtils as any, "runGitCommand")
+        .callsFake(async (_cwd: any, args: any) => {
+          if (args[0] === "rev-parse") {
+            return `${tmpDir}\n`;
+          }
+          return (
+            "100644 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab 0\tlib/git-utils.js\n" +
+            "100644 aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899 0\tsrc/git-utils.ts"
+          );
+        });
+
+      const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+
+      t.deepEqual(result, {
+        "lib/git-utils.js":
+          "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab",
+        "src/git-utils.ts":
+          "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899",
+      });
+    });
+  },
+);
+
+test.serial(
+  "getFileOidsUnderPath handles mixed SHA-1 and SHA-256 OIDs",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      sinon
+        .stub(gitUtils as any, "runGitCommand")
+        .callsFake(async (_cwd: any, args: any) => {
+          if (args[0] === "rev-parse") {
+            return `${tmpDir}\n`;
+          }
+          return (
+            "100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/sha1-file.js\n" +
+            "100644 aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899 0\tsrc/sha256-file.ts"
+          );
+        });
+
+      const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+
+      t.deepEqual(result, {
+        "lib/sha1-file.js": "30d998ded095371488be3a729eb61d86ed721a18",
+        "src/sha256-file.ts":
+          "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899",
+      });
+    });
+  },
+);
+
 test.serial(
  "getGitVersionOrThrow returns version for valid git output",
  async (t) => {
@@ -166,8 +166,8 @@ export const determineBaseBranchHeadCommitOid = async function (
    // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
    if (
      commitOid === mergeSha &&
-      headOid.length === 40 &&
-      baseOid.length === 40
+      (headOid.length === 40 || headOid.length === 64) &&
+      (baseOid.length === 40 || baseOid.length === 64)
    ) {
      return baseOid;
    }
@@ -296,7 +296,7 @@ export const getFileOidsUnderPath = async function (
  // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
  // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
  // The fields are: <mode> <oid> <stage>\t<path>
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
  for (const line of stdout.split("\n")) {
    if (line) {
      const match = line.match(regex);
@@ -160,6 +160,9 @@ export const DEFAULT_ACTIONS_VARS = {
  RUNNER_OS: "Linux",
 } as const satisfies Record<string, string>;

+/** A 64-character SHA-256 Git OID for use in SHA-256 repository test scenarios. */
+export const SHA256_GITHUB_SHA = "0".repeat(64);
+
 // Sets environment variables that make using some libraries designed for
 // use only on actions safe to use outside of actions.
 export function setupActionsVars(
@@ -12,7 +12,7 @@ import * as api from "./api-client";
 import * as diffUtils from "./diff-informed-analysis-utils";
 import { getRunnerLogger, Logger } from "./logging";
 import * as sarif from "./sarif";
-import { setupTests } from "./testing-utils";
+import { setupTests, SHA256_GITHUB_SHA } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
 import { UploadPayload } from "./upload-lib/types";
 import { GitHubVariant, initializeEnvironment, withTmpDir } from "./util";
@@ -110,6 +110,35 @@ test.serial(
  },
 );

+test.serial(
+  "validate correct payload used for PR merge commit with SHA-256 OIDs",
+  async (t) => {
+    process.env["GITHUB_EVENT_NAME"] = "pull_request";
+    process.env["GITHUB_SHA"] = SHA256_GITHUB_SHA;
+    process.env["GITHUB_BASE_REF"] = "master";
+    process.env["GITHUB_EVENT_PATH"] =
+      `${__dirname}/../src/testdata/pull_request.json`;
+
+    const sha256MergeBase = "b".repeat(64);
+    const prMergePayload: any = uploadLib.buildPayload(
+      SHA256_GITHUB_SHA,
+      "refs/pull/123/merge",
+      "key",
+      undefined,
+      "",
+      1234,
+      1,
+      "/opt/src",
+      undefined,
+      ["CodeQL", "eslint"],
+      sha256MergeBase,
+    );
+    // Uploads for a merge commit use the merge base (SHA-256)
+    t.deepEqual(prMergePayload.base_ref, "refs/heads/master");
+    t.deepEqual(prMergePayload.base_sha, sha256MergeBase);
+  },
+);
+
 test.serial("finding SARIF files", async (t) => {
  await withTmpDir(async (tmpDir) => {
    // include a couple of sarif files
Author	SHA1	Message	Date
Óscar San José	2041daafe4	Fix lint errors	2026-05-06 17:30:02 +02:00
copilot-swe-agent[bot]	807ce4efd0	Support SHA-256 Git object hashes in git-utils and tests Agent-Logs-Url: https://github.com/github/codeql-action/sessions/e39d1fb6-4ce3-47c3-9113-e41b111fc8fb Co-authored-by: oscarsj <1410188+oscarsj@users.noreply.github.com>	2026-05-04 15:53:11 +00:00
copilot-swe-agent[bot]	bd0f7a95e7	Initial plan	2026-05-04 15:43:19 +00:00
Michael B. Gale	a723e99345	Merge pull request #3868 from github/mergeback/v4.35.3-to-main-e46ed2cb Mergeback v4.35.3 refs/heads/releases/v4 into main	2026-05-01 14:34:01 +00:00
github-actions[bot]	fbba1e03be	Rebuild	2026-05-01 14:09:49 +00:00
github-actions[bot]	933238e8d5	Update changelog and version after v4.35.3	2026-05-01 14:06:46 +00:00