From df92ca182677a29317bdf608011873ed5241ddb6 Mon Sep 17 00:00:00 2001
From: Andreas Braun <andreas.braun@mongodb.com>
Date: Fri, 14 Jun 2024 10:55:30 +0200
Subject: [PATCH 1/2] Fix refs used for code scanning results

---
 .github/workflows/release.yml         | 2 +-
 .github/workflows/static-analysis.yml | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b70720d78..ae50c8d28 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -166,7 +166,7 @@ jobs:
       - name: "Generate SARIF report from code scanning alerts"
         uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
         with:
-          ref: ${{ inputs.version }}
+          ref: refs/tags/${{ inputs.version }}
           output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
 
       - name: "Generate compliance report"
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index ac2299693..8a1c6ec6d 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -47,3 +47,4 @@ jobs:
         uses: "github/codeql-action/upload-sarif@v3"
         with:
           sarif_file: psalm.sarif
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}

From f7bb2a6369cbfa8e60b105a845e4314306792f4f Mon Sep 17 00:00:00 2001
From: Andreas Braun <andreas.braun@mongodb.com>
Date: Mon, 17 Jun 2024 09:37:22 +0200
Subject: [PATCH 2/2] Use checked out SHA hash when uploading code scanning
 result

---
 .github/workflows/static-analysis.yml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index 8a1c6ec6d..7a634683b 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -34,6 +34,11 @@ jobs:
         with:
           ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}
 
+      - name: "Get SHA hash of checked out ref"
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        run: |
+          echo CHECKED_OUT_SHA=$(git rev-parse HEAD) >> $GITHUB_ENV
+
       - name: "Setup"
         uses: "./.github/actions/setup"
         with:
@@ -44,7 +49,15 @@ jobs:
         run: "vendor/bin/psalm --show-info=false --stats --output-format=github --threads=$(nproc) --report=psalm.sarif"
 
       - name: "Upload SARIF report"
+        if: ${{ github.event_name != 'workflow_dispatch' }}
         uses: "github/codeql-action/upload-sarif@v3"
         with:
           sarif_file: psalm.sarif
-          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}
+
+      - name: "Upload SARIF report"
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        uses: "github/codeql-action/upload-sarif@v3"
+        with:
+          sarif_file: psalm.sarif
+          ref: ${{ inputs.ref }}
+          sha: ${{ env.CHECKED_OUT_SHA }}