Refactor merge base retrieval in workflow

tdcmeehan · web-flow · commit 7e97e8cfbfb4 · 2025-11-04T20:59:19.000-05:00
Updated the merge base retrieval process to use GitHub CLI for better accuracy and removed the fallback logic for older PRs.
diff --git a/.github/workflows/owasp-dependency-check.yml b/.github/workflows/owasp-dependency-check.yml
@@ -24,25 +24,21 @@ jobs:
         with:
           persist-credentials: false
           ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 100  # Fetch enough history to find merge base
 
       - name: Find merge base
         id: merge-base
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          REPO: ${{ github.repository }}
         run: |
-          # Fetch the base branch with same depth
-          git fetch origin ${{ github.event.pull_request.base.ref }} --depth=100
+          merge_base=$(gh api -q '.merge_base_commit.sha' \
+            "/repos/$REPO/compare/$BASE_REF...$HEAD_SHA")
+          echo "sha=$merge_base" >> $GITHUB_OUTPUT
+          echo "Using merge base: $merge_base"
 
-          # Try to find merge base
-          if merge_base=$(git merge-base HEAD origin/${{ github.event.pull_request.base.ref }} 2>/dev/null); then
-            echo "sha=$merge_base" >> $GITHUB_OUTPUT
-            echo "Using merge base: $merge_base"
-          else
-            # Fallback to base.sha if merge base not found (very old PRs)
-            echo "sha=${{ github.event.pull_request.base.sha }}" >> $GITHUB_OUTPUT
-            echo "Could not find merge base, using base branch head instead.  This should not happen for recent PRs."
-          fi
-
-      - name: Checkout base branch (merge base)
+      - name: Checkout base branch
         uses: actions/checkout@v4
         with:
           persist-credentials: false
