Git commit sha detection inconsistent between telemetry and actual operations

[rneatherway]

See:

codeql-action/src/status-report.ts

Lines 271 to 272 in cac5926

	const commitOid =
	getOptionalInput("sha") || process.env["GITHUB_SHA"] || "";

vs:

codeql-action/src/git-utils.ts

Lines 48 to 69 in cac5926

	export const getCommitOid = async function (
	checkoutPath: string,
	ref = "HEAD",
	): Promise<string> {
	// Try to use git to get the current commit SHA. If that fails then
	// log but otherwise silently fall back to using the SHA from the environment.
	// The only time these two values will differ is during analysis of a PR when
	// the workflow has changed the current commit to the head commit instead of
	// the merge commit, which must mean that git is available.
	// Even if this does go wrong, it's not a huge problem for the alerts to
	// reported on the merge commit.
	try {
	const stdout = await runGitCommand(
	checkoutPath,
	["rev-parse", ref],
	"Continuing with commit SHA from user input or environment.",
	);
	return stdout.trim();
	} catch {
	return getOptionalInput("sha") || getRequiredEnvParam("GITHUB_SHA");
	}
	};

So if the checkout is at a different sha from GITHUB_SHA then the two are different. In my case this made debugging very difficult because when I reran the workflow with debug logging enabled the telemetry calls were printed and showed me it reporting a different sha from the one that is actually used by the upload action.

I suspect this happened because the the telemetry was added later and we originally implemented the "sha of current checkout" behaviour so that it worked outside actions. Removing the "sha of current checkout" behaviour, or making it the lowest priority, feels like the "most correct" fix, but more risky than just changing the telemetry to use the getCommitOid function.

[mbg]

Hi @rneatherway 👋🏻

Nice to see you around and thanks for flagging this up! Sorry it has made debugging unnecessarily difficult. I think this is a similar sort of issue to one I opened internally recently. I'll keep track of it and see if we can get it addressed soon.

[rneatherway]

Hi @rneatherway 👋🏻

Nice to see you around and thanks for flagging this up! Sorry it has made debugging unnecessarily difficult. I think this is a similar sort of issue to one I opened internally recently. I'll keep track of it and see if we can get it addressed soon.

Cheers! No worries 😁