Use correct SHA for pull request events

In a pull request, GITHUB_SHA is set to the "last merge commit on the GITHUB_REF branch". This isn't the correct value to use when generating a dependency graph. This changes to use the value of `pull_request.head.sha`, which is the correct value for a dependency graph. Fixes #882
2024-10-06 02:34:24 -04:00 · 2023-09-26 05:14:11 -06:00 · 2023-09-26 05:14:11 -06:00 · 87ccc98a2a
commit 87ccc98a2a
parent 4441c9f9bf
3 changed files with 36 additions and 5 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -19,6 +19,7 @@
        "@actions/http-client": "2.1.1",
        "@actions/tool-cache": "2.0.1",
        "@octokit/rest": "19.0.13",
+        "@octokit/webhooks-types": "7.3.0",
        "string-argv": "0.3.2"
      },
      "devDependencies": {
@ -1817,6 +1818,11 @@
        "@octokit/openapi-types": "^12.11.0"
      }
    },
+    "node_modules/@octokit/webhooks-types": {
+      "version": "7.3.0",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.3.0.tgz",
+      "integrity": "sha512-DnZ0JdT6+me5a74H/FxHz6Pu3udTtGj5qfno9GhHWgdJoqo1EvaBWqnXRN2//XarzgfbsgkBO9Kzv7ap99mNuQ=="
+    },
    "node_modules/@opentelemetry/api": {
      "version": "1.4.1",
      "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@ -9552,6 +9558,11 @@
        "@octokit/openapi-types": "^12.11.0"
      }
    },
+    "@octokit/webhooks-types": {
+      "version": "7.3.0",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.3.0.tgz",
+      "integrity": "sha512-DnZ0JdT6+me5a74H/FxHz6Pu3udTtGj5qfno9GhHWgdJoqo1EvaBWqnXRN2//XarzgfbsgkBO9Kzv7ap99mNuQ=="
+    },
    "@opentelemetry/api": {
      "version": "1.4.1",
      "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
--- a/package.json
+++ b/package.json
@ -39,6 +39,7 @@
    "@actions/http-client": "2.1.1",
    "@actions/tool-cache": "2.0.1",
    "@octokit/rest": "19.0.13",
+    "@octokit/webhooks-types": "7.3.0",
    "string-argv": "0.3.2"
  },
  "devDependencies": {
@ -52,7 +53,7 @@
    "eslint-plugin-jest": "27.4.0",
    "eslint-plugin-prettier": "5.0.0",
    "jest": "29.7.0",
-    "js-yaml": "4.1.0", 
+    "js-yaml": "4.1.0",
    "patch-package": "8.0.0",
    "prettier": "3.0.3",
    "ts-jest": "29.1.1",
--- a/src/dependency-graph.ts
+++ b/src/dependency-graph.ts
@ -4,6 +4,7 @@ import * as github from '@actions/github'
 import * as glob from '@actions/glob'
 import * as toolCache from '@actions/tool-cache'
 import {GitHub} from '@actions/github/lib/utils'
+import type {PullRequestEvent} from '@octokit/webhooks-types'

 import * as path from 'path'
 import fs from 'fs'
@ -19,12 +20,11 @@ export function setup(option: DependencyGraphOption): void {
    }

    core.info('Enabling dependency graph generation')
-    const jobCorrelator = getJobCorrelator()
    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true')
-    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR', jobCorrelator)
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_CORRELATOR', getJobCorrelator())
    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_JOB_ID', github.context.runId)
    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_REF', github.context.ref)
-    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_SHA', github.context.sha)
+    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_SHA', getShaFromContext())
    core.exportVariable('GITHUB_DEPENDENCY_GRAPH_WORKSPACE', layout.workspaceDirectory())
    core.exportVariable(
        'DEPENDENCY_GRAPH_REPORT_DIR',
@ -152,7 +152,26 @@ function getRelativePathFromWorkspace(file: string): string {
    return path.relative(workspaceDirectory, file)
 }

-export function getJobCorrelator(): string {
+function getShaFromContext(): string {
+    const context = github.context
+    const pullRequestEvents = [
+        'pull_request',
+        'pull_request_comment',
+        'pull_request_review',
+        'pull_request_review_comment'
+        // Note that pull_request_target is omitted here.
+        // That event runs in the context of the base commit of the PR,
+        // so the snapshot should not be associated with the head commit.
+    ]
+    if (pullRequestEvents.includes(context.eventName)) {
+        const pr = (context.payload as PullRequestEvent).pull_request
+        return pr.head.sha
+    } else {
+        return context.sha
+    }
+}
+
+function getJobCorrelator(): string {
    return constructJobCorrelator(github.context.workflow, github.context.job, getJobMatrix())
 }