Use the correct SHA for pull request snapshots (#401)

Evidently, `github.context.sha` is not always what you might consider
the "current commit" in a given context. In most GitHub pull request
event types, `github.context.sha` will be the "Last merge commit on the
GITHUB_REF branch." In those cases, the commit SHA that should be
associated with the snapshot is `github.event.pull_request.head.sha`.

This commit adds a helper function, `getSha`, which will return the
correct SHA for the current context.

Signed-off-by: Justin Holguin <juxtin@github.com>
Signed-off-by: GitHub <noreply@github.com>

src/github/SyftGithubAction.ts

@@ -244,6 +244,29 @@ export function getSbomFormat(): SyftOptions["format"] {
   return (core.getInput("format") as SyftOptions["format"]) || "spdx-json";
 }
 
+/**
+ * Returns the SHA of the current commit, which will either be the head
+ * of the pull request branch or the value of github.context.sha, depending
+ * on the event type.
+ */
+export function getSha(): string {
+  const pull_request_events = [
+    "pull_request",
+    "pull_request_comment",
+    "pull_request_review",
+    "pull_request_review_comment",
+    // Note that pull_request_target is omitted here.
+    // That event runs in the context of the base commit of the PR,
+    // so the snapshot should not be associated with the head commit.
+  ];
+  if (pull_request_events.includes(github.context.eventName)) {
+    const pr = (github.context.payload as PullRequestEvent).pull_request;
+    return pr.head.sha;
+  } else {
+    return github.context.sha;
+  }
+}
+
 /**
  * Uploads a SBOM as a workflow artifact
  * @param contents SBOM file contents
@@ -382,7 +405,8 @@ export async function uploadDependencySnapshot(): Promise<void> {
     );
     return;
   }
-  const { workflow, job, runId, repo, sha, ref } = github.context;
+  const { workflow, job, runId, repo, ref } = github.context;
+  const sha = getSha();
   const client = getClient(repo, core.getInput("github-token"));
 
   const snapshot = JSON.parse(