fix VulnScan target branch

Author: Akshay2191

.github/workflows/ci.yml

@@ -105,7 +105,9 @@ jobs:
       contents: read
       security-events: write # for reporting vulnerabilities via code-scanning API
     with:
-      target-branch: ${{ github.event.pull_request.base.ref || github.ref_name }}
+      # Use PR head branch (the feature branch) when running from a pull_request event.
+      # Fallback to github.head_ref (sanity) or ref name for other contexts.
+      target-branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref_name }}
 
   unit-test:
     name: Unit Tests

.github/workflows/vulncheck.yml

@@ -29,9 +29,10 @@ jobs:
         with:
           persist-credentials: false
           fetch-depth: 0
-          # Prioritise inputs.target-branch, defaulting to PR head or current ref before falling back to 'main'.
-          # Fixes default branch resolution issues observed during Go version upgrades.
-          ref: ${{ inputs.target-branch || github.head_ref || github.ref_name || 'main' }}
+          # For a pull_request event use the PR head branch (github.head_ref)
+          # to this ensures vulncheck runs against the feature branch.
+          # Otherwise, fall back to inputs.target-branch, github.ref_name, then 'main'.
+          ref: ${{ (github.event_name == 'pull_request' && github.head_ref) || inputs.target-branch || github.ref_name || 'main' }}
 
       - name: Check Go version
         id: get-go-version