codeql-action [upload-sarif@v3] action completely ignore the `sha` input and using commit hash from `checkout

Usage:

uses: github/codeql-action/upload-sarif@v3
with:
  sarif_file: sarif-results/fix-paths-cpp.sarif
  ref: refs/heads/main
  sha: a8e616ed369f7f74173a13c5489dbae89c3b12
  checkout_path: /runner/_work/parent-repo/build

Output from action:

request: {
      method: 'PUT',
      url: 'https://github.com/api/v3/repos/PFO/OpenSIL/code-scanning/analysis',
      headers: {
        accept: 'application/vnd.github.v3+json',
        'user-agent': 'CodeQL-Action/3.22.12 octokit-core.js/3.6.0 Node.js/20.18.0 (linux; x64)',
        authorization: 'token [REDACTED]',
        'content-type': 'application/json; charset=utf-8'
      },
      body: '{"commit_oid":"b0b0efb3f489d6c16d35gsfd4b388173h99e1049","ref":"refs/heads/main","analysis_key":".github/workflows/codeql-nightly.yml:codeql","analysis_name":"CodeQL- Nightly","sarif":"..."}'

From the output, we can see that it is not actually uploading with the commit_oid that we assigned in the sha input.

Looking at the src code of the upload-sarif action:

https://github.com/github/codeql-action/blob/main/src/upload-sarif-action.ts#L91
https://github.com/github/codeql-action/blob/main/src/upload-lib.ts#L605 It is actually using the commit hash sha from the repo under the checkout_path, which completely ignores the sha input in the action.

Mar 14 '25 17:03 acejarvis

Hi @acejarvis,

Thanks for your question. We are looking into it and will provide an update as soon as possible.

Mar 19 '25 22:03 rvermeulen

Hi @acejarvis,

Could you share information on you use case of using sha option to help us understand if that use case is supported and we have a bug.

Mar 20 '25 21:03 rvermeulen

[upload-sarif@v3] action completely ignore the `sha` input and using commit hash from `checkout_path` instead