fix: prevent stale-SHA checkout in scheduled CodeQL security scan
The scheduled CodeQL analysis explicitly passed ref: github.sha, which is frozen when a cron job is queued, not when it runs. Under load or during a long queue, the analysis could scan code that is days old, missing vulnerabilities introduced since the last scheduling window. Replace with ref: github.ref_name so all trigger types — scheduled, push, and pull_request — consistently scan the current HEAD of the branch being processed.
This commit is contained in:
GitHub Actions
6
.github/workflows/codeql.yml
vendored
6
.github/workflows/codeql.yml
vendored
@@ -39,7 +39,11 @@ jobs:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
with:
|
||||
ref: ${{ github.sha }}
|
||||
# For scheduled runs, github.sha is frozen at queue time and can be
|
||||
# days old by the time the job executes. Use ref_name to always scan
|
||||
# current branch HEAD. For push/PR triggers, ref_name == the branch
|
||||
# being pushed/opened, which is the correct behaviour.
|
||||
ref: ${{ github.ref_name }}
|
||||
|
||||
- name: Verify CodeQL parity guard
|
||||
if: matrix.language == 'go'
|
||||
|
||||
Reference in New Issue
Block a user