From f43702cb8304811bf2d144f8f31f2dcfa1bd41b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81lison=20Fernandes?=
 <vvolkgang@users.noreply.github.com>
Date: Wed, 2 Apr 2025 20:32:59 +0100
Subject: [PATCH] Set SARIF upload branch to the merge commit ref/sha retrieved
 from GH CLI (#4958)

---
 .github/workflows/scan-ci.yml |  3 ---
 .github/workflows/scan.yml    | 19 +++++++++++++++++--
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/scan-ci.yml b/.github/workflows/scan-ci.yml
index 4b5ace86d8..7577aa2e3c 100644
--- a/.github/workflows/scan-ci.yml
+++ b/.github/workflows/scan-ci.yml
@@ -37,8 +37,6 @@ jobs:
         uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: cx_result.sarif
-          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
-          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
   quality:
     name: Quality scan
@@ -60,4 +58,3 @@ jobs:
           args: >
             -Dsonar.organization=${{ github.repository_owner }}
             -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
-            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 99cb9c8d61..0f5f409607 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -40,12 +40,27 @@ jobs:
             --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
             --output-path . ${{ env.INCREMENTAL }}
 
+      - name: Get branch refs
+        id: get-branch-refs
+        env:
+          GH_TOKEN: ${{ github.token }}
+          _PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          if [[ $GITHUB_EVENT_NAME == "pull_request_target" ]]; then
+            MERGE_SHA=$(gh api /repos/$GITHUB_REPOSITORY/pulls/$_PR_NUMBER --jq .merge_commit_sha)
+            echo "SHA=$MERGE_SHA" >> $GITHUB_OUTPUT
+            echo "REF=refs/pull/$_PR_NUMBER/merge" >> $GITHUB_OUTPUT
+          else
+            echo "SHA=$GITHUB_SHA" >> $GITHUB_OUTPUT
+            echo "REF=$GITHUB_REF" >> $GITHUB_OUTPUT
+          fi
+
       - name: Upload Checkmarx results to GitHub
         uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: cx_result.sarif
-          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
-          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
+          sha: ${{ steps.get-branch-refs.outputs.SHA }}
+          ref: ${{ steps.get-branch-refs.outputs.REF }}
 
   quality:
     name: Quality scan