1. Checks for sha input first, If the user explicitly sets sha in the analyze or upload-sarif action, that value is used immediately
2. Falls back to git - If no sha input, runs git rev-parse as before
3. Final fallback to GITHUB_SHA - If git fails, uses the environment variable
Ex testing, if a different repo is cloned into the root of the runner - it is not possible to overload the SHA used to upload the SARIF (it will always use the git rev-parse to get the commit sha from the checkoutPath )
Risk assessment
For internal use only. Please select the risk level of this change:
Which use cases does this change impact?
Workflow types:
Products:
Environments:
How did/will you validate this change?
If something goes wrong after this change is released, what are the mitigation and rollback strategies?
How will you know if something goes wrong after this change is released?
Are there any special considerations for merging or releasing this change?
Merge / deployment checklist