There have been problems regarding a new dependency on being able to run git commands. In some environment git is not present, or a .git directory is not created unless git is a high-enough version. In other cases people want to analyze without a full checkout, for example analysing container images.

This PR means we still try to use git to get the current commit, because we need to do this in the case of PR integration. However if that fails for any reason then we almost silently give up and just return the commit SHA from the environment.

I argue this will be correct in almost all situations, and even if it was incorrect the fallout from alerts appearing on the wrong commit is not too bad in the case of pull requests and likely understandable to the user.

I've tested this with a self-hosted runner that did not have a high enough version of git, and it failed on the main branch but succeeded with this branch.

Merge / deployment checklist

• Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in other repos!
  • CodeQL using init/analyze actions
  • 3rd party tool using upload action
• Confirm this change is backwards compatible with existing workflows.
• Confirm the readme has been updated if necessary.