Merge pull request #3893 from github/henrymercer/sha256

Add support for SHA-256 Git object IDs

Author: henrymercer

CHANGELOG.md

@@ -4,7 +4,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Add support for SHA-256 Git object IDs. [#3893](https://github.com/github/codeql-action/pull/3893)
 
 ## 4.35.5 - 15 May 2026
 

lib/entry-points.js

@@ -75,10 +75,10 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
         [Feature.DiffInformedQueries]: testCase.featureEnabled,
       });
 
-      const getGitHubVersionStub = sinon
+      sinon
         .stub(apiClient, "getGitHubVersion")
         .resolves(testCase.gitHubVersion);
-      const getPullRequestBranchesStub = sinon
+      sinon
         .stub(actionsUtil, "getPullRequestBranches")
         .returns(testCase.pullRequestBranches);
 
@@ -91,9 +91,6 @@ const testShouldPerformDiffInformedAnalysis = makeMacro({
       t.is(branches !== undefined, expectedResult);
 
       delete process.env.CODEQL_ACTION_DIFF_INFORMED_QUERIES;
-
-      getGitHubVersionStub.restore();
-      getPullRequestBranchesStub.restore();
     });
   },
   title: (title) => `getDiffInformedAnalysisBranches: ${title}`,

lib/upload-lib.js

@@ -33,7 +33,6 @@ test.serial(
 
       const actualRef = await gitUtils.getRef();
       t.deepEqual(actualRef, expectedRef);
-      callback.restore();
     });
   },
 );
@@ -54,7 +53,6 @@ test.serial(
 
       const actualRef = await gitUtils.getRef();
       t.deepEqual(actualRef, expectedRef);
-      callback.restore();
     });
   },
 );
@@ -73,7 +71,6 @@ test.serial(
 
       const actualRef = await gitUtils.getRef();
       t.deepEqual(actualRef, "refs/pull/1/head");
-      callback.restore();
     });
   },
 );
@@ -100,8 +97,6 @@ test.serial(
 
       const actualRef = await gitUtils.getRef();
       t.deepEqual(actualRef, "refs/pull/2/merge");
-      callback.restore();
-      getAdditionalInputStub.restore();
     });
   },
 );
@@ -161,7 +156,6 @@ test.serial(
             "Both 'ref' and 'sha' are required if one of them is provided.",
         },
       );
-      getAdditionalInputStub.restore();
     });
   },
 );
@@ -188,7 +182,6 @@ test.serial(
             "Both 'ref' and 'sha' are required if one of them is provided.",
         },
       );
-      getAdditionalInputStub.restore();
     });
   },
 );
@@ -242,7 +235,6 @@ test.serial("isAnalyzingDefaultBranch()", async (t) => {
     process.env["GITHUB_EVENT_NAME"] = "schedule";
     process.env["GITHUB_REF"] = "refs/heads/main";
     t.deepEqual(await gitUtils.isAnalyzingDefaultBranch(), false);
-    getAdditionalInputStub.restore();
   });
 });
 
@@ -254,8 +246,6 @@ test.serial("determineBaseBranchHeadCommitOid non-pullrequest", async (t) => {
   const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
   t.deepEqual(result, undefined);
   t.deepEqual(0, infoStub.callCount);
-
-  infoStub.restore();
 });
 
 test.serial(
@@ -276,8 +266,6 @@ test.serial(
       "git call failed. Will calculate the base branch SHA on the server. Error: " +
         "The checkout path provided to the action does not appear to be a git repository.",
     );
-
-    infoStub.restore();
   },
 );
 
@@ -301,10 +289,27 @@ test.serial("determineBaseBranchHeadCommitOid other error", async (t) => {
       "The checkout path provided to the action does not appear to be a git repository.",
     ),
   );
-
-  infoStub.restore();
 });
 
+test.serial(
+  "determineBaseBranchHeadCommitOid accepts SHA-256 OIDs",
+  async (t) => {
+    const mergeSha = "a".repeat(64);
+    const baseOid = "b".repeat(64);
+    const headOid = "c".repeat(64);
+
+    process.env["GITHUB_EVENT_NAME"] = "pull_request";
+    process.env["GITHUB_SHA"] = mergeSha;
+
+    sinon
+      .stub(gitUtils as any, "runGitCommand")
+      .resolves(`commit ${mergeSha}\nparent ${baseOid}\nparent ${headOid}\n`);
+
+    const result = await gitUtils.determineBaseBranchHeadCommitOid(__dirname);
+    t.deepEqual(result, baseOid);
+  },
+);
+
 test.serial("decodeGitFilePath unquoted strings", async (t) => {
   t.deepEqual(gitUtils.decodeGitFilePath("foo"), "foo");
   t.deepEqual(gitUtils.decodeGitFilePath("foo bar"), "foo bar");
@@ -436,6 +441,64 @@ test.serial("getFileOidsUnderPath handles quoted paths", async (t) => {
   });
 });
 
+test.serial("getFileOidsUnderPath handles SHA-256 OIDs", async (t) => {
+  await withTmpDir(async (tmpDir) => {
+    const sha256OidA =
+      "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2c0d4b7e8f9a1234567890ab";
+    const sha256OidB =
+      "aabbccddeeff00112233445566778899aabbccddeeff00112233445566778899";
+
+    sinon
+      .stub(gitUtils as any, "runGitCommand")
+      .callsFake(async (_cwd: any, args: any) => {
+        if (args[0] === "rev-parse") {
+          return `${tmpDir}\n`;
+        }
+        return (
+          `100644 ${sha256OidA} 0\tlib/sha256-file-a.js\n` +
+          `100644 ${sha256OidB} 0\tsrc/sha256-file-b.ts`
+        );
+      });
+
+    const result = await gitUtils.getFileOidsUnderPath("/fake/path");
+
+    t.deepEqual(result, {
+      "lib/sha256-file-a.js": sha256OidA,
+      "src/sha256-file-b.ts": sha256OidB,
+    });
+  });
+});
+
+test.serial(
+  "getFileOidsUnderPath rejects OIDs of unsupported length",
+  async (t) => {
+    await withTmpDir(async (tmpDir) => {
+      // 50-char OID: not a valid SHA-1 (40) or SHA-256 (64) length. The regex
+      // must not accept this even though every character is a valid hex digit.
+      const invalidLine =
+        "100644 30d998ded095371488be3a729eb61d86ed721a1830d998ded0 0\tlib/bad.js";
+      sinon
+        .stub(gitUtils as any, "runGitCommand")
+        .callsFake(async (_cwd: any, args: any) => {
+          if (args[0] === "rev-parse") {
+            return `${tmpDir}\n`;
+          }
+          return invalidLine;
+        });
+
+      await t.throwsAsync(
+        async () => {
+          await gitUtils.getFileOidsUnderPath("/fake/path");
+        },
+        {
+          instanceOf: Error,
+          message: `Unexpected "git ls-files" output: ${invalidLine}`,
+        },
+      );
+    });
+  },
+);
+
 test.serial("getFileOidsUnderPath handles empty output", async (t) => {
   await withTmpDir(async (tmpDir) => {
     sinon

src/diff-informed-analysis-utils.test.ts

@@ -163,11 +163,12 @@ export const determineBaseBranchHeadCommitOid = async function (
       }
     }
 
-    // Let's confirm our assumptions: We had a merge commit and the parsed parent data looks correct
+    // Let's confirm our assumptions: We had a merge commit and the parsed parent
+    // data looks correct. OIDs are either 40 (SHA-1) or 64 (SHA-256) hex characters.
     if (
       commitOid === mergeSha &&
-      headOid.length === 40 &&
-      baseOid.length === 40
+      (headOid.length === 40 || headOid.length === 64) &&
+      (baseOid.length === 40 || baseOid.length === 64)
     ) {
       return baseOid;
     }
@@ -296,7 +297,8 @@ export const getFileOidsUnderPath = async function (
   // 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
   // 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
   // The fields are: <mode> <oid> <stage>\t<path>
-  const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
+  // The OID is either 40 (SHA-1) or 64 (SHA-256) hex characters.
+  const regex = /^[0-9]+ ([0-9a-f]{40}|[0-9a-f]{64}) [0-9]+\t(.+)$/;
   for (const line of stdout.split("\n")) {
     if (line) {
       const match = line.match(regex);

src/git-utils.test.ts

@@ -80,65 +80,46 @@ const testDownloadOverlayBaseDatabaseFromCache = makeMacro({
         await fs.promises.writeFile(baseDatabaseOidsFile, JSON.stringify({}));
       }
 
-      const stubs: sinon.SinonStub[] = [];
+      sinon.stub(apiClient, "getAutomationID").resolves("test-automation-id/");
 
-      const getAutomationIDStub = sinon
-        .stub(apiClient, "getAutomationID")
-        .resolves("test-automation-id/");
-      stubs.push(getAutomationIDStub);
-
-      const isInTestModeStub = sinon
-        .stub(utils, "isInTestMode")
-        .returns(testCase.isInTestMode);
-      stubs.push(isInTestModeStub);
+      sinon.stub(utils, "isInTestMode").returns(testCase.isInTestMode);
 
       if (testCase.restoreCacheResult instanceof Error) {
-        const restoreCacheStub = sinon
+        sinon
           .stub(actionsCache, "restoreCache")
           .rejects(testCase.restoreCacheResult);
-        stubs.push(restoreCacheStub);
       } else {
-        const restoreCacheStub = sinon
+        sinon
           .stub(actionsCache, "restoreCache")
           .resolves(testCase.restoreCacheResult);
-        stubs.push(restoreCacheStub);
       }
 
-      const tryGetFolderBytesStub = sinon
+      sinon
         .stub(utils, "tryGetFolderBytes")
         .resolves(testCase.tryGetFolderBytesSucceeds ? 1024 * 1024 : undefined);
-      stubs.push(tryGetFolderBytesStub);
 
       const codeql = mockCodeQLVersion(testCase.codeQLVersion);
 
       if (testCase.resolveDatabaseOutput instanceof Error) {
-        const resolveDatabaseStub = sinon
+        sinon
           .stub(codeql, "resolveDatabase")
           .rejects(testCase.resolveDatabaseOutput);
-        stubs.push(resolveDatabaseStub);
       } else {
-        const resolveDatabaseStub = sinon
+        sinon
           .stub(codeql, "resolveDatabase")
           .resolves(testCase.resolveDatabaseOutput);
-        stubs.push(resolveDatabaseStub);
       }
 
-      try {
-        const result = await downloadOverlayBaseDatabaseFromCache(
-          codeql,
-          config,
-          logger,
-        );
+      const result = await downloadOverlayBaseDatabaseFromCache(
+        codeql,
+        config,
+        logger,
+      );
 
-        if (expectDownloadSuccess) {
-          t.truthy(result);
-        } else {
-          t.is(result, undefined);
-        }
-      } finally {
-        for (const stub of stubs) {
-          stub.restore();
-        }
+      if (expectDownloadSuccess) {
+        t.truthy(result);
+      } else {
+        t.is(result, undefined);
       }
     });
   },