fix: use actual PR head SHA in GitHub Actions instead of merge commit #2785
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
runningcode
force-pushed
the
no/eme-325-github-actions-head-sha-fix
branch
2 times, most recently
from
2bebf86 to
a0e9d7b
Compare
runningcode
requested review from
a team and
szokeasaurusrex
as code owners
![seer-by-sentry[bot]](https://avatars.githubusercontent.com/in/801464?s=60&v=4){kind=small}
szokeasaurusrex
approved these changes
Sep 24, 2025
runningcode
force-pushed
the
no/eme-325-github-actions-head-sha-fix
branch
from
4934a1c to
2403ea6
Compare
When sentry-cli build upload runs in GitHub Actions for pull requests, it was using the temporary merge commit SHA (from git rev-parse HEAD) instead of the actual PR head commit SHA. This caused build uploads to be associated with non-existent commit SHAs. Changes: - Modify find_head() to check for GITHUB_EVENT_PATH environment variable - Extract PR head SHA from GitHub Actions event payload when available - Fall back to existing git rev-parse HEAD behavior when not in GitHub Actions - Add comprehensive tests for JSON parsing and event handling This ensures build uploads in GitHub Actions PR workflows use the correct commit SHA for size analysis and other features that rely on commit tracking. Fixes EME-325 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Use iterator instead of needless range loop - Use to_owned() instead of to_string() on &str 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Fixes clippy str_to_string warnings in test code. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Simplify JSON parsing logic to be more reliable - Use sequential string searching instead of line-by-line parsing - Add test case with real GitHub Actions JSON format - This should fix issues with parsing complex nested JSON payloads
Address security vulnerability where user-controlled content in PR titles or descriptions could interfere with SHA extraction by replacing naive string parsing with robust serde_json deserialization. - Replace string-based SHA extraction with proper JSON parsing using serde - Add SHA validation to ensure extracted values are valid 40-character hex strings - Add comprehensive test coverage including malicious input scenarios - Update existing tests to work with new implementation 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Remove client-side SHA validation as the backend will handle validation. This simplifies the code while maintaining the security fix from proper JSON parsing. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Clean up code by removing verbose comments while preserving functionality. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Co-authored-by: Daniel Szoke <[email protected]>
Co-authored-by: Daniel Szoke <[email protected]>
Co-authored-by: Daniel Szoke <[email protected]>
Remove unused structs and imports that were causing dead code warnings. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
runningcode
force-pushed
the
no/eme-325-github-actions-head-sha-fix
branch
from
2403ea6 to
7f29355
Compare
🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the issue where
sentry-cli build uploaduses incorrect commit SHAs when running in GitHub Actions for pull requests.Previously, when running in GitHub Actions PR builds, sentry-cli would use the temporary merge commit SHA (created by GitHub Actions when it merges the PR branch with the target branch) instead of the actual PR head commit SHA. This caused build uploads to be associated with commit SHAs that don't exist in the actual repository history.
find_head()function: Now checks forGITHUB_EVENT_PATHenvironment variableHow it works
--head-shais explicitly provided → use that (existing behavior)GITHUB_EVENT_PATHis set → extract PR head SHA from event payloadgit rev-parse HEAD(existing behavior)Alternative
Alternatively, we could use a complex regex to parse the json, i think the logic here is easier to follow/debug than a regex.
Testing
I tested this functionality in this test PR: #2787
Fixes
Closes EME-325
🤖 Generated with Claude Code