fix: ignore GitHub virtual merge commits in PR events

dachi-dev · dachi-dev · commit 90415cbc21f2 · 2025-08-29T10:15:21.000-05:00
- Skip GITHUB_SHA for pull_request events to avoid virtual merge commits
- GitHub Actions creates virtual merge commits for PRs that don't exist as real commits
- CLI now uses HEAD commit for PR events, GITHUB_SHA for push events
- Added comprehensive tests for both PR and push event scenarios
- Resolves issue with confusing merge messages like 'Merge abc123 into def456 (virtual)'
diff --git a/socketsecurity/core/git_interface.py b/socketsecurity/core/git_interface.py
@@ -54,19 +54,28 @@ def __init__(self, path: str):
         
         # Use CI environment SHA if available, otherwise fall back to current HEAD commit
         github_sha = os.getenv('GITHUB_SHA')
+        github_event_name = os.getenv('GITHUB_EVENT_NAME')
         gitlab_sha = os.getenv('CI_COMMIT_SHA')
         bitbucket_sha = os.getenv('BITBUCKET_COMMIT')
-        ci_sha = github_sha or gitlab_sha or bitbucket_sha
+        
+        # For GitHub PR events, ignore GITHUB_SHA (virtual merge commit) and use HEAD
+        if github_event_name == 'pull_request':
+            ci_sha = gitlab_sha or bitbucket_sha  # Skip github_sha
+            log.debug("GitHub PR event detected - ignoring GITHUB_SHA (virtual merge commit)")
+        else:
+            ci_sha = github_sha or gitlab_sha or bitbucket_sha
         
         if ci_sha:
             try:
                 self.commit = self.repo.commit(ci_sha)
-                if github_sha:
+                if ci_sha == github_sha and github_event_name != 'pull_request':
                     env_source = "GITHUB_SHA"
-                elif gitlab_sha:
+                elif ci_sha == gitlab_sha:
                     env_source = "CI_COMMIT_SHA"
-                else:
+                elif ci_sha == bitbucket_sha:
                     env_source = "BITBUCKET_COMMIT"
+                else:
+                    env_source = "UNKNOWN_CI_SOURCE"
                 log.debug(f"Using commit from {env_source}: {ci_sha}")
             except Exception as error:
                 log.debug(f"Failed to get commit from CI environment: {error}")
diff --git a/tests/core/test_git_interface.py b/tests/core/test_git_interface.py
@@ -762,3 +762,53 @@ def test_environment_variable_parsing(self, git_instance):
         }):
             assert os.getenv('BITBUCKET_BRANCH') == 'feature'
             assert os.getenv('BITBUCKET_PR_DESTINATION_BRANCH') == 'main'
+
+    def test_github_virtual_merge_commit_ignored(self, git_instance, caplog):
+        """
+        Test that GitHub virtual merge commits are ignored for pull_request events.
+        
+        GitHub Actions sets GITHUB_SHA to a virtual merge commit for PR events,
+        which should be ignored to avoid scanning non-existent commits.
+        """
+        with caplog.at_level(logging.DEBUG):
+            # Simulate GitHub PR environment with virtual merge commit
+            with patch.dict(os.environ, {
+                'GITHUB_EVENT_NAME': 'pull_request',
+                'GITHUB_SHA': 'abc123virtual',  # Virtual merge commit
+                'CI_COMMIT_SHA': '',  # No GitLab SHA
+                'BITBUCKET_COMMIT': ''  # No Bitbucket SHA
+            }, clear=True):
+                # Create new Git instance to trigger commit selection logic
+                git_instance_new = Git(git_instance.path)
+                
+                # Should log that GITHUB_SHA is being ignored
+                debug_messages = [record.message for record in caplog.records if record.levelname == "DEBUG"]
+                virtual_commit_logs = [msg for msg in debug_messages if "ignoring GITHUB_SHA (virtual merge commit)" in msg]
+                assert len(virtual_commit_logs) >= 1, f"Expected virtual merge commit log, got: {debug_messages}"
+                
+                # Should use HEAD commit instead of GITHUB_SHA
+                assert git_instance_new.commit.hexsha != 'abc123virtual'
+                assert git_instance_new.commit.hexsha == git_instance.commit.hexsha  # Should match original HEAD
+
+    def test_github_push_event_uses_github_sha(self, git_instance, caplog):
+        """
+        Test that GitHub push events still use GITHUB_SHA (not virtual merge commits).
+        """
+        with caplog.at_level(logging.DEBUG):
+            # Simulate GitHub push environment with real commit
+            with patch.dict(os.environ, {
+                'GITHUB_EVENT_NAME': 'push',
+                'GITHUB_SHA': git_instance.commit.hexsha,  # Real commit
+                'CI_COMMIT_SHA': '',
+                'BITBUCKET_COMMIT': ''
+            }, clear=True):
+                # Create new Git instance to trigger commit selection logic
+                git_instance_new = Git(git_instance.path)
+                
+                # Should use GITHUB_SHA for push events
+                assert git_instance_new.commit.hexsha == git_instance.commit.hexsha
+                
+                # Should NOT log virtual merge commit message
+                debug_messages = [record.message for record in caplog.records if record.levelname == "DEBUG"]
+                virtual_commit_logs = [msg for msg in debug_messages if "ignoring GITHUB_SHA (virtual merge commit)" in msg]
+                assert len(virtual_commit_logs) == 0, f"Should not ignore GITHUB_SHA for push events: {debug_messages}"
