Use pull_request.head.sha for submissions where appropriate

Signed-off-by: Justin Holguin <juxtin@github.com>

package-lock.json

@@ -19,6 +19,7 @@
         "@actions/http-client": "2.1.1",
         "@actions/tool-cache": "2.0.1",
         "@octokit/rest": "19.0.13",
+        "@octokit/webhooks-types": "^7.3.0",
         "string-argv": "0.3.2"
       },
       "devDependencies": {
@@ -1817,6 +1818,11 @@
         "@octokit/openapi-types": "^12.11.0"
       }
     },
+    "node_modules/@octokit/webhooks-types": {
+      "version": "7.3.0",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.3.0.tgz",
+      "integrity": "sha512-DnZ0JdT6+me5a74H/FxHz6Pu3udTtGj5qfno9GhHWgdJoqo1EvaBWqnXRN2//XarzgfbsgkBO9Kzv7ap99mNuQ=="
+    },
     "node_modules/@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@@ -9532,6 +9538,11 @@
         "@octokit/openapi-types": "^12.11.0"
       }
     },
+    "@octokit/webhooks-types": {
+      "version": "7.3.0",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.3.0.tgz",
+      "integrity": "sha512-DnZ0JdT6+me5a74H/FxHz6Pu3udTtGj5qfno9GhHWgdJoqo1EvaBWqnXRN2//XarzgfbsgkBO9Kzv7ap99mNuQ=="
+    },
     "@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",

package.json

@@ -39,11 +39,12 @@
     "@actions/http-client": "2.1.1",
     "@actions/tool-cache": "2.0.1",
     "@octokit/rest": "19.0.13",
+    "@octokit/webhooks-types": "^7.3.0",
     "string-argv": "0.3.2"
   },
   "devDependencies": {
-    "@types/node": "16.18.38",
     "@types/jest": "29.5.4",
+    "@types/node": "16.18.38",
     "@types/unzipper": "0.10.6",
     "@typescript-eslint/parser": "6.4.1",
     "@vercel/ncc": "0.36.1",
@@ -52,7 +53,7 @@
     "eslint-plugin-jest": "27.2.3",
     "eslint-plugin-prettier": "5.0.0",
     "jest": "29.6.3",
-    "js-yaml": "4.1.0", 
+    "js-yaml": "4.1.0",
     "patch-package": "8.0.0",
     "prettier": "3.0.2",
     "ts-jest": "29.1.1",

src/dependency-graph.ts

@@ -4,6 +4,8 @@ import * as github from '@actions/github'
 import * as glob from '@actions/glob'
 import * as toolCache from '@actions/tool-cache'
 import {Octokit} from '@octokit/rest'
+import {Context} from '@actions/github/lib/context'
+import type {PullRequestEvent} from '@octokit/webhooks-types'
 
 import * as path from 'path'
 import fs from 'fs'
@@ -20,9 +22,11 @@ export function setup(option: DependencyGraphOption): void {
 
     core.info('Enabling dependency graph generation')
     const jobCorrelator = getJobCorrelator()
+    const sha = shaFromContext(github.context)
     core.exportVariable('GITHUB_DEPENDENCY_GRAPH_ENABLED', 'true')
     core.exportVariable('GITHUB_JOB_CORRELATOR', jobCorrelator)
     core.exportVariable('GITHUB_JOB_ID', github.context.runId)
+    core.exportVariable('GITHUB_SHA', sha)
     core.exportVariable(
         'DEPENDENCY_GRAPH_REPORT_DIR',
         path.resolve(layout.workspaceDirectory(), 'dependency-graph-reports')
@@ -151,6 +155,24 @@ function getRelativePathFromWorkspace(file: string): string {
     return path.relative(workspaceDirectory, file)
 }
 
+export function shaFromContext(context: Context): string {
+    const pullRequestEvents = [
+        'pull_request',
+        'pull_request_comment',
+        'pull_request_review',
+        'pull_request_review_comment'
+        // Note that pull_request_target is omitted here.
+        // That event runs in the context of the base commit of the PR,
+        // so the snapshot should not be associated with the head commit.
+    ]
+    if (pullRequestEvents.includes(context.eventName)) {
+        const pr = (context.payload as PullRequestEvent).pull_request
+        return pr.head.sha
+    } else {
+        return context.sha
+    }
+}
+
 export function getJobCorrelator(): string {
     return constructJobCorrelator(github.context.workflow, github.context.job, getJobMatrix())
 }