From 068ad76fd5efc80e600f3e8c3c7f66b1ff19e183 Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Thu, 20 Mar 2025 14:28:17 -0400
Subject: [PATCH] Update SARIF upload to use proper branch (#360)

---
 .github/workflows/build-unified.yml | 2 ++
 .github/workflows/scan.yml          | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/build-unified.yml b/.github/workflows/build-unified.yml
index 0d1f6d6..452177c 100644
--- a/.github/workflows/build-unified.yml
+++ b/.github/workflows/build-unified.yml
@@ -175,6 +175,8 @@ jobs:
         uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
       - name: Log out of Docker
         if: ${{ env.is_publish_branch == 'true' }}
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index a327212..ae08813 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -46,6 +46,8 @@ jobs:
         uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: cx_result.sarif
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
   quality:
     name: Quality scan