From 6f408f62ba4ad3a5b31a8248e3afcf23f14f8c1f Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Tue, 3 Mar 2026 04:24:47 +0000
Subject: [PATCH] fix: prevent stale-SHA checkout in scheduled CodeQL security
 scan
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The scheduled CodeQL analysis explicitly passed ref: github.sha, which
is frozen when a cron job is queued, not when it runs. Under load or
during a long queue, the analysis could scan code that is days old,
missing vulnerabilities introduced since the last scheduling window.

Replace with ref: github.ref_name so all trigger types — scheduled,
push, and pull_request — consistently scan the current HEAD of the
branch being processed.
---
 .github/workflows/codeql.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index edd872cc..e7383153 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -39,7 +39,11 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          ref: ${{ github.sha }}
+          # For scheduled runs, github.sha is frozen at queue time and can be
+          # days old by the time the job executes. Use ref_name to always scan
+          # current branch HEAD. For push/PR triggers, ref_name == the branch
+          # being pushed/opened, which is the correct behaviour.
+          ref: ${{ github.ref_name }}
 
       - name: Verify CodeQL parity guard
         if: matrix.language == 'go'