Add support for SHA-256 Git object IDs

[henrymercer]

Update assumptions about Git OIDs to support SHA-256 OIDs, and add unit tests.

This incorporates review feedback from #3872.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Advanced setup - Impacts users who have custom CodeQL workflows.
• Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.
• Other first-party - The changes impact other first-party analyses.
• Third-party analyses - The changes affect the upload-sarif action.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR updates git OID handling to support SHA-256 repositories (64-hex object IDs) in the CodeQL Action, and adds unit tests to validate the updated parsing behavior.

Changes:

• Accept 64-character (SHA-256) OIDs when deriving the base branch head commit from a PR merge commit.
• Extend git ls-files --stage parsing to accept SHA-1 (40) and SHA-256 (64) OID lengths (and reject other lengths).
• Add unit tests covering SHA-256 OIDs for both code paths, and update the changelog.

Show a summary per file

File	Description
src/git-utils.ts	Updates OID length assumptions and ls-files parsing to support SHA-256.
src/git-utils.test.ts	Adds unit tests for SHA-256 OIDs and invalid OID lengths.
CHANGELOG.md	Records the new SHA-256 git object ID support as an unreleased change.
lib/upload-sarif-action.js	Generated JS output reflecting the TypeScript changes.
lib/upload-lib.js	Generated JS output reflecting the TypeScript changes.
lib/setup-codeql-action.js	Generated JS output reflecting the TypeScript changes.
lib/resolve-environment-action.js	Generated JS output reflecting the TypeScript changes.
lib/init-action.js	Generated JS output reflecting the TypeScript changes.
lib/init-action-post.js	Generated JS output reflecting the TypeScript changes.
lib/autobuild-action.js	Generated JS output reflecting the TypeScript changes.
lib/analyze-action.js	Generated JS output reflecting the TypeScript changes.
lib/analyze-action-post.js	Generated JS output reflecting the TypeScript changes.

Copilot's findings

• Files reviewed: 3/12 changed files
• Comments generated: 1