Describe the bug
On pull_request events GITHUB_SHA (which vite.config.js reads via resolveCommitSha()) is the ephemeral merge commit GitHub synthesizes for refs/pull//merge — it merges your branch head into main and never exists in either branch's history, hence you can't find it. The Cloudflare preview deploy is built from that merge ref, so it stamps that SHA. Production (push to main) stamps the real commit, so it's only misleading on PR previews. To fix centrally, the reusable DevSecNinja/.github Pages workflow should pass APP_COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }} into the build env so PR builds use the real head commit.
Steps to reproduce
Expected behavior
Actual behavior
Environment
Describe the bug
On pull_request events GITHUB_SHA (which vite.config.js reads via resolveCommitSha()) is the ephemeral merge commit GitHub synthesizes for refs/pull//merge — it merges your branch head into main and never exists in either branch's history, hence you can't find it. The Cloudflare preview deploy is built from that merge ref, so it stamps that SHA. Production (push to main) stamps the real commit, so it's only misleading on PR previews. To fix centrally, the reusable DevSecNinja/.github Pages workflow should pass APP_COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }} into the build env so PR builds use the real head commit.
Steps to reproduce
Expected behavior
Actual behavior
Environment