Support SHA-256 Git object hashes (64-char OIDs)

[Copilot]

Git is transitioning to SHA-256 as the default object hash (64 hex chars vs SHA-1's 40). Two production code paths hard-coded assumptions about 40-char OIDs, causing silent failures or errors in SHA-256 repositories.

Production fixes (src/git-utils.ts)

• getFileOidsUnderPath(): Regex {40} → {40,64} — previously all entries failed to match in SHA-256 repos, causing an error throw.
• determineBaseBranchHeadCommitOid(): Length checks === 40 → (=== 40 || === 64) — previously the condition was always false for 64-char OIDs, causing silent undefined return and fallback to server-side base SHA calculation.

Test coverage (src/git-utils.test.ts, src/upload-lib.test.ts, src/testing-utils.ts)

• Added SHA256_GITHUB_SHA = "0".repeat(64) constant to testing-utils.ts
• SHA-256 variants for getRef() tests (merge PR ref, checkout@v1 path, head PR ref, explicit input)
• SHA-256 test for determineBaseBranchHeadCommitOid returning the correct base OID from a 64-char merge commit
• SHA-256 tests for getFileOidsUnderPath (pure 64-char OIDs and mixed SHA-1/SHA-256)
• SHA-256 upload payload test in upload-lib.test.ts

Risk assessment

• Low risk: Test coverage for fixed code paths. No behavior change for SHA-1 repos.

Which use cases does this change impact?

• Advanced setup - Impacts users who have custom CodeQL workflows.
• Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.
• Other first-party - The changes impact other first-party analyses.
• Third-party analyses - The changes affect the upload-sarif action.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[koesie10]

I think we usually prefer a regex that only allows 40 or 64 character SHAs, something like this:

Suggested change

	const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;
	const regex = /^[0-9]+ ([0-9a-f]{40}(?:[a-f0-9]{24})?) [0-9]+\t(.+)$/;