Skip to content

Support SHA-256 Git object hashes (64-char OIDs)#3872

Open
Copilot wants to merge 3 commits intomainfrom
copilot/support-sha-256-git-hashes-again
Open

Support SHA-256 Git object hashes (64-char OIDs)#3872
Copilot wants to merge 3 commits intomainfrom
copilot/support-sha-256-git-hashes-again

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 4, 2026
edited
Loading

Git is transitioning to SHA-256 as the default object hash (64 hex chars vs SHA-1's 40). Two production code paths hard-coded assumptions about 40-char OIDs, causing silent failures or errors in SHA-256 repositories.

Production fixes (src/git-utils.ts)

  • getFileOidsUnderPath(): Regex {40}{40,64} — previously all entries failed to match in SHA-256 repos, causing an error throw.
  • determineBaseBranchHeadCommitOid(): Length checks === 40(=== 40 || === 64) — previously the condition was always false for 64-char OIDs, causing silent undefined return and fallback to server-side base SHA calculation.

Test coverage (src/git-utils.test.ts, src/upload-lib.test.ts, src/testing-utils.ts)

  • Added SHA256_GITHUB_SHA = "0".repeat(64) constant to testing-utils.ts
  • SHA-256 variants for getRef() tests (merge PR ref, checkout@v1 path, head PR ref, explicit input)
  • SHA-256 test for determineBaseBranchHeadCommitOid returning the correct base OID from a 64-char merge commit
  • SHA-256 tests for getFileOidsUnderPath (pure 64-char OIDs and mixed SHA-1/SHA-256)
  • SHA-256 upload payload test in upload-lib.test.ts

Risk assessment

  • Low risk: Test coverage for fixed code paths. No behavior change for SHA-1 repos.

Which use cases does this change impact?

  • Advanced setup - Impacts users who have custom CodeQL workflows.
  • Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.
  • Other first-party - The changes impact other first-party analyses.
  • Third-party analyses - The changes affect the upload-sarif action.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
  • GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

Copilot AI changed the title [WIP] Fix regex to support SHA-256 Git object hashes Support SHA-256 Git object hashes (64-char OIDs) May 4, 2026
Copilot finished work on behalf of oscarsj May 4, 2026 15:55
Copilot AI requested a review from oscarsj May 4, 2026 15:55
@github-actions github-actions Bot added the size/M Should be of average difficulty to review label May 4, 2026
@oscarsj oscarsj marked this pull request as ready for review May 6, 2026 15:30
Copilot AI review requested due to automatic review settings May 6, 2026 15:30
@oscarsj oscarsj requested a review from a team as a code owner May 6, 2026 15:30
koesie10
koesie10 reviewed May 7, 2026
View reviewed changes
Comment thread src/git-utils.ts
// 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
// The fields are: <mode> <oid> <stage>\t<path>
const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
Copy link
Copy Markdown
Member

@koesie10 koesie10 May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we usually prefer a regex that only allows 40 or 64 character SHAs, something like this:

Suggested change
const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
const regex = /^[0-9]+ ([0-9a-f]{40}(?:[a-f0-9]{24})?) [0-9]+\t(.+)$/;

mbg
mbg reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mbg mbg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor comments, mainly about some of the added tests that cover functions which don't perform any validation and are unchanged in this PR. I am not greatly opposed to adding these tests, since they could protect against accidentally breaking this in the future, but I want to be sure that this is an intentional goal here and not just Copilot adding tests it doesn't understand.

If we do want these tests, then it might make sense to just reuse the existing test implementations and put them in a loop rather than duplicating the implementations.

Comment thread src/testing-utils.ts
} as const satisfies Record<string, string>;

/** A 64-character SHA-256 Git OID for use in SHA-256 repository test scenarios. */
export const SHA256_GITHUB_SHA = "0".repeat(64);
Copy link
Copy Markdown
Member

@mbg mbg May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: This is only used in upload-lib.test.ts so I don't think it needs to be in testing-utils.ts.

Additionally, the name is misleading. There's nothing GitHub-specific about a SHA256 hash.

Comment thread src/upload-lib.test.ts
`${__dirname}/../src/testdata/pull_request.json`;

const sha256MergeBase = "b".repeat(64);
const prMergePayload: any = uploadLib.buildPayload(
Copy link
Copy Markdown
Member

@mbg mbg May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The addition of this test doesn't make sense: buildPayload doesn't perform any validation. Indeed, this test passes without any of the changes to git-utils.ts.

Comment thread src/git-utils.test.ts
const callback = sinon.stub(gitUtils, "getCommitOid");
callback.withArgs("HEAD").resolves(currentSha);

const actualRef = await gitUtils.getRef();
Copy link
Copy Markdown
Member

@mbg mbg May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getRef() doesn't perform any validation, so the four new tests for getRef() here pass without the changes in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbg mbg mbg left review comments

@koesie10 koesie10 koesie10 left review comments

Copilot code review Copilot Awaiting requested review from Copilot

+1 more reviewer

@oscarsj oscarsj oscarsj approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@oscarsj oscarsj

Copilot code review Copilot

Labels

size/M Should be of average difficulty to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mbg @koesie10 @oscarsj