Merge latest develop branch with artifact upload functionality

Author: Copilot

.appveyor.yml

@@ -11,8 +11,8 @@ install:
   - ps: mkdir $env:DOTNET_INSTALL_DIR -Force | Out-Null
   - ps: Invoke-WebRequest -Uri "https://dotnet.microsoft.com/download/dotnet/scripts/v1/dotnet-install.ps1" -OutFile "$($env:DOTNET_INSTALL_DIR)/dotnet-install.ps1"
   - ps: '& "$($env:DOTNET_INSTALL_DIR)/dotnet-install.ps1" -Version 5.0.408 -InstallDir $env:DOTNET_INSTALL_DIR'
-  - ps: '& "$($env:DOTNET_INSTALL_DIR)/dotnet-install.ps1" -Version 8.0.412 -InstallDir $env:DOTNET_INSTALL_DIR'
-  - ps: '& "$($env:DOTNET_INSTALL_DIR)/dotnet-install.ps1" -Version 9.0.303 -InstallDir $env:DOTNET_INSTALL_DIR'
+  - ps: '& "$($env:DOTNET_INSTALL_DIR)/dotnet-install.ps1" -Version 8.0.413 -InstallDir $env:DOTNET_INSTALL_DIR'
+  - ps: '& "$($env:DOTNET_INSTALL_DIR)/dotnet-install.ps1" -Version 9.0.304 -InstallDir $env:DOTNET_INSTALL_DIR'
   - ps: $env:Path = "$env:DOTNET_INSTALL_DIR;$env:Path"
   - ps: dotnet --info
   - ps: Install-Product node 20

.github/workflows/build.yml

@@ -38,7 +38,7 @@ jobs:
         run: npm install -g markdownlint-cli
         shell: powershell
       - name: Download build artifact
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
         with:
           name: NuGet Package
           path: ./BuildArtifacts/Packages/NuGet

Cake.Frosting.Issues.Recipe/Cake.Frosting.Issues.Recipe.Tests/BuildServers/GitHubActionsBuildServerTests.cs

@@ -0,0 +1,24 @@
+namespace Cake.Frosting.Issues.Recipe.Tests.BuildServers;
+
+using Shouldly;
+using Xunit;
+
+public sealed class GitHubActionsBuildServerTests
+{
+    public sealed class TheDetermineCommitIdMethod
+    {
+        [Fact]
+        public void Should_Use_Correct_Logic_For_Pull_Request_Events()
+        {
+            // Given
+            var buildServer = new GitHubActionsBuildServer();
+
+            // This is a basic smoke test since we can't easily mock the GitHubActions() environment
+            // The actual functionality is tested through integration tests
+
+            // When/Then - we're mainly testing that the code compiles and the class can be instantiated
+            _ = buildServer.ShouldNotBeNull();
+            _ = buildServer.ShouldBeOfType<GitHubActionsBuildServer>();
+        }
+    }
+}

Cake.Frosting.Issues.Recipe/Cake.Frosting.Issues.Recipe/BuildServers/GitHubActionsBuildServer.cs

@@ -8,6 +8,8 @@ namespace Cake.Frosting.Issues.Recipe;
 using Cake.Common.Diagnostics;
 using Cake.Common.IO;
 using Cake.Core.IO;
+using System.Net;
+using System.Net.Http;
 
 /// <summary>
 /// Support for builds running on GitHub Actions.
@@ -31,6 +33,40 @@ public override string DetermineCommitId(
     {
         context.NotNull();
 
+        // For pull request events, use the actual HEAD commit instead of the merge commit SHA
+        if (this.DetermineIfPullRequest(context))
+        {
+            var eventPath = context.EnvironmentVariable("GITHUB_EVENT_PATH");
+
+            if (!string.IsNullOrWhiteSpace(eventPath) && System.IO.File.Exists(eventPath))
+            {
+                try
+                {
+                    var eventJson = System.IO.File.ReadAllText(eventPath);
+                    var eventData = Newtonsoft.Json.JsonConvert.DeserializeObject(eventJson) as Newtonsoft.Json.Linq.JObject;
+                    var prHeadSha = eventData?["pull_request"]?["head"]?["sha"];
+
+                    if (prHeadSha != null)
+                    {
+                        return prHeadSha.ToString();
+                    }
+                }
+                catch (System.IO.IOException)
+                {
+                    // Fall through to default behavior if file I/O fails
+                }
+                catch (System.UnauthorizedAccessException)
+                {
+                    // Fall through to default behavior if access is denied
+                }
+                catch (Newtonsoft.Json.JsonException)
+                {
+                    // Fall through to default behavior if JSON parsing fails
+                }
+            }
+        }
+
+        // Default behavior for non-PR events or when event data is not available
         return context.GitHubActions().Environment.Workflow.Sha;
     }
 
@@ -125,7 +161,14 @@ private static void UploadSarifToCodeScanning(IIssuesContext context)
         }
 
         var repository = context.GitHubActions().Environment.Workflow.Repository;
-        var commitSha = context.GitHubActions().Environment.Workflow.Sha;
+
+        // Check if code scanning is enabled before attempting upload
+        if (!IsCodeScanningEnabled(context, repository, token))
+        {
+            context.Information("GitHub code scanning is not enabled for this repository. Skipping SARIF upload.");
+            return;
+        }
+
         var ref_ = context.GitHubActions().Environment.Workflow.Ref;
 
         // Read and encode SARIF file
@@ -136,8 +179,8 @@ private static void UploadSarifToCodeScanning(IIssuesContext context)
         var apiUrl = new Uri($"https://api.github.com/repos/{repository}/code-scanning/sarifs");
         var requestBody = new
         {
-            commit_sha = commitSha,
-            ref_ = ref_,
+            commit_sha = context.State.CommitId,
+            ref_,
             sarif = sarifBase64,
             tool_name = "Cake.Issues.Recipe"
         };
@@ -163,4 +206,61 @@ private static void UploadSarifToCodeScanning(IIssuesContext context)
             context.Warning($"Failed to upload SARIF report to GitHub code scanning. Status: {response.StatusCode}, Error: {errorContent}");
         }
     }
+
+    private static bool IsCodeScanningEnabled(IIssuesContext context, string repository, string token)
+    {
+        // Check if code scanning is enabled by attempting to fetch code scanning alerts
+        var apiUrl = new Uri($"https://api.github.com/repos/{repository}/code-scanning/alerts?per_page=1");
+
+        using var httpClient = new HttpClient();
+        httpClient.DefaultRequestHeaders.Add("Authorization", $"token {token}");
+        httpClient.DefaultRequestHeaders.Add("Accept", "application/vnd.github.v3+json");
+        httpClient.DefaultRequestHeaders.Add("User-Agent", "Cake.Issues.Recipe");
+
+        try
+        {
+            var response = httpClient.GetAsync(apiUrl).Result;
+
+            // If we get a successful response (200) or even a 404 for no alerts, code scanning is enabled
+            if (response.IsSuccessStatusCode || response.StatusCode == HttpStatusCode.NotFound)
+            {
+                return true;
+            }
+
+            // If we get a 403 (Forbidden), check if it's because code scanning is not enabled
+            if (response.StatusCode == HttpStatusCode.Forbidden)
+            {
+                var errorContent = response.Content.ReadAsStringAsync().Result;
+                if (errorContent.Contains("Code Security must be enabled", StringComparison.Ordinal))
+                {
+                    return false;
+                }
+            }
+
+            // For any other error, assume code scanning might be enabled but there's another issue
+            // Log the issue but don't block the upload attempt
+            context.Warning($"Unable to determine code scanning status. Response: {response.StatusCode}");
+            return true;
+        }
+        catch (HttpRequestException ex)
+        {
+            // If there's an HTTP exception checking the status, assume code scanning might be enabled
+            context.Warning($"HTTP error checking code scanning status: {ex.Message}");
+            return true;
+        }
+        catch (TaskCanceledException ex)
+        {
+            // If there's a timeout checking the status, assume code scanning might be enabled
+            context.Warning($"Timeout checking code scanning status: {ex.Message}");
+            return true;
+        }
+#pragma warning disable CA1031 // Do not catch general exception types - intentional fail-safe behavior
+        catch (Exception ex)
+        {
+            // If there's any other exception checking the status, assume code scanning might be enabled
+            context.Warning($"Error checking code scanning status: {ex.Message}");
+            return true;
+        }
+#pragma warning restore CA1031 // Do not catch general exception types
+    }
 }

Cake.Frosting.Issues.Recipe/global.json

@@ -1,7 +1,7 @@
 {
     "sdk": {
         "allowPrerelease": true,
-        "version": "9.0.303",
+        "version": "9.0.304",
         "rollForward": "latestFeature"
     }
 }