GitHub Actions 6f408f62ba fix: prevent stale-SHA checkout in scheduled CodeQL security scan ...

The scheduled CodeQL analysis explicitly passed ref: github.sha, which
is frozen when a cron job is queued, not when it runs. Under load or
during a long queue, the analysis could scan code that is days old,
missing vulnerabilities introduced since the last scheduling window.

Replace with ref: github.ref_name so all trigger types — scheduled,
push, and pull_request — consistently scan the current HEAD of the
branch being processed.

2026-03-03 04:24:47 +00:00

8.5 KiB

Raw Blame History

View Raw