fix: Don't report check to invalid sha (#515)

* fix: Don't report check to old sha

This fixes an issue where a failed git checkout (because of a missing
ref, network, or auth issues) would cause a failure to be posted to
GitHub for the wrong sha - most often the last successfully built sha.
This has caused confusion when one or more checks was reported as
passing only to be unexpectedly changed to failing for an unrelated
reason. It looks for cases where the git build data doesn't match the
current build and returning an empty string for the sha if that's the
case. Otherwise the behavior should remain the same.

I added a new test to cover this case and I've tested it both with a
manual repro in a sandbox environment and in a production environment
(we run approximately 100k PR checks through this plugin on an average
day) to confirm that it's working as expected when build failures occur
before or during checkout.

Prior to this fix - a failure during git checkout would report the
failure to the previous successful sha:

```
> gh api "repos/$ORG/$REPO/commits/$SHA/check-runs?filter=all" | jq
'.check_runs[] | {name, head_sha, status, conclusion, completed_at}'
{
  "name": "gh-checks-plugin-fix-test",
  "head_sha": "71a1cc8f8b956b11b12036b8687acd7a5fafa868",
  "status": "completed",
  "conclusion": "failure",
  "completed_at": "2026-02-18T15:49:53Z"
}
{
  "name": "gh-checks-plugin-fix-test",
  "head_sha": "71a1cc8f8b956b11b12036b8687acd7a5fafa868",
  "status": "completed",
  "conclusion": "success",
  "completed_at": "2026-02-18T15:48:46Z"
}
```

And with this fix, the build failed. But, as expected, it skipped
reporting the failure to the wrong sha:

```
> gh api "repos/$ORG/$REPO/commits/$SHA/check-runs?filter=all" | jq
'.check_runs[] | {name, head_sha, status, conclusion, completed_at}'
{
  "name": "gh-checks-plugin-fix-test",
  "head_sha": "5dd2fbbbf2d102e0bb72f1ab76e5c00b8b29cf2e",
  "status": "completed",
  "conclusion": "success",
  "completed_at": "2026-02-18T15:58:32Z"
}
```

The main caveat with this is that we use Freestyle jobs, not Pipeline
jobs, so I'm relying on the existing test case to ensure it's still
working as expected for pipelines.

* fix tests

I had made the original changes based on an older version of the plugin
so it would be compatible with the older version of Jenkins we're still
using and I forgot to re-run the tests after I cherry-picked the commit
to the latest on `master`. This is now passing when I run tests locally.

* Avoid potential null pointer exception to fix spotbugs

* mock builddata

Author: russtaylor

src/main/java/io/jenkins/plugins/checks/github/GitSCMChecksContext.java

@@ -48,6 +48,17 @@ class GitSCMChecksContext extends GitHubChecksContext {
 
     @Override
     public String getHeadSha() {
+        // When checkout fails, BuildData is either absent from the current run or
+        // carries a stale build number from a previous build. In both cases,
+        // GIT_COMMIT from run.getEnvironment() is also unreliable because
+        // GitSCM.buildEnvironment() walks back through previous builds' BuildData.
+        BuildData gitBuildData = run.getAction(BuildData.class);
+        if (gitBuildData == null
+                || gitBuildData.lastBuild == null
+                || gitBuildData.lastBuild.getBuildNumber() != run.getNumber()) {
+            return StringUtils.EMPTY;
+        }
+
         try {
             String head = getGitCommitEnvironment();
             if (StringUtils.isNotBlank(head)) {

src/test/java/io/jenkins/plugins/checks/github/GitHubChecksPublisherFactoryTest.java

@@ -6,6 +6,8 @@
 import hudson.model.TaskListener;
 import hudson.plugins.git.GitSCM;
 import hudson.plugins.git.UserRemoteConfig;
+import hudson.plugins.git.util.Build;
+import hudson.plugins.git.util.BuildData;
 import jenkins.scm.api.SCMHead;
 import org.jenkinsci.plugins.displayurlapi.DisplayURLProvider;
 import org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials;
@@ -78,6 +80,12 @@ void shouldCreateGitHubChecksPublisherFromRunForProjectWithValidGitSCM() throws
         SCMFacade scmFacade = mock(SCMFacade.class);
         EnvVars envVars = mock(EnvVars.class);
 
+        BuildData buildData = mock(BuildData.class);
+        Build lastBuild = mock(Build.class);
+        buildData.lastBuild = lastBuild;
+        when(lastBuild.getBuildNumber()).thenReturn(1);
+        when(run.getNumber()).thenReturn(1);
+        when(run.getAction(BuildData.class)).thenReturn(buildData);
         when(run.getParent()).thenReturn(job);
         when(run.getEnvironment(TaskListener.NULL)).thenReturn(envVars);
         when(envVars.get("GIT_COMMIT")).thenReturn("a1b2c3");

src/test/java/io/jenkins/plugins/checks/github/GitSCMChecksContextITest.java

@@ -82,4 +82,35 @@ void shouldRetrieveContextFromPipeline(JenkinsRule j) throws Exception {
         assertThat(gitSCMChecksContext.getCredentialsId()).isEqualTo(CREDENTIALS_ID);
         assertThat(gitSCMChecksContext.getHeadSha()).isEqualTo(EXISTING_HASH);
     }
+
+    /**
+     * Verifies that when a checkout fails on a subsequent build, {@link GitSCMChecksContext#getHeadSha()}
+     * returns empty rather than returning the stale SHA from the previous successful build.
+     * This prevents checks from being posted against the wrong commit when checkout fails
+     * (e.g. due to network flakiness).
+     */
+    @Test
+    void shouldReturnEmptyHeadShaWhenCheckoutFails(JenkinsRule j) throws Exception {
+        FreeStyleProject job = j.createFreeStyleProject();
+
+        // First build: successful checkout populates BuildData with the correct SHA
+        GitSCM scm = new GitSCM(GitSCM.createRepoList(HTTP_URL, CREDENTIALS_ID),
+                Collections.singletonList(new BranchSpec(EXISTING_HASH)),
+                null, null, Collections.emptyList());
+        job.setScm(scm);
+        Run<?, ?> successfulRun = buildSuccessfully(j, job);
+        assertThat(new GitSCMChecksContext(successfulRun, URL_NAME).getHeadSha()).isEqualTo(EXISTING_HASH);
+
+        // Second build: use a non-existent SHA to simulate checkout failure.
+        // The Git plugin carries over BuildData from the previous build, but since
+        // the checkout never completes, lastBuild.hudsonBuildNumber still refers
+        // to build #1.
+        job.setScm(new GitSCM(GitSCM.createRepoList(HTTP_URL, CREDENTIALS_ID),
+                Collections.singletonList(new BranchSpec("0000000000000000000000000000000000000001")),
+                null, null, Collections.emptyList()));
+        Run<?, ?> failedRun = j.assertBuildStatus(Result.FAILURE, job.scheduleBuild2(0, new Action[0]));
+
+        // Must return empty, not the previous build's SHA
+        assertThat(new GitSCMChecksContext(failedRun, URL_NAME).getHeadSha()).isEmpty();
+    }
 }