From 1add57d56c981ffdfda7c29e245a90a934a4916a Mon Sep 17 00:00:00 2001
From: Matt Andreko <mandreko@bitwarden.com>
Date: Fri, 21 Mar 2025 09:13:00 -0400
Subject: [PATCH] Fix SARIF upload branch ref/sha (#4899)

---
 .github/workflows/scan-authenticator.yml | 2 ++
 .github/workflows/scan-ci.yml            | 2 ++
 .github/workflows/scan.yml               | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/scan-authenticator.yml b/.github/workflows/scan-authenticator.yml
index b9d73dcc35..0ad7df376b 100644
--- a/.github/workflows/scan-authenticator.yml
+++ b/.github/workflows/scan-authenticator.yml
@@ -49,6 +49,8 @@ jobs:
         uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
         with:
           sarif_file: cx_result.sarif
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
   quality:
     name: Quality scan
diff --git a/.github/workflows/scan-ci.yml b/.github/workflows/scan-ci.yml
index 1be3733df2..4b5ace86d8 100644
--- a/.github/workflows/scan-ci.yml
+++ b/.github/workflows/scan-ci.yml
@@ -37,6 +37,8 @@ jobs:
         uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: cx_result.sarif
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
   quality:
     name: Quality scan
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index ac2c754e9d..99cb9c8d61 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -44,6 +44,8 @@ jobs:
         uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: cx_result.sarif
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
   quality:
     name: Quality scan