[WIP] Support SHA-256 Git object hashes

[Copilot]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

---

This section details on the original issue you should resolve

<issue_title>codeql-action: Support SHA-256 Git object hashes</issue_title>
<issue_description>## Background

Git is transitioning to SHA-256 as the default object hash algorithm. SHA-1 OIDs are 40 hex characters; SHA-256 OIDs are 64 hex characters. Git 3.0 will default to SHA-256 around September 2026. GitHub must support SHA-256 repositories by May 29, 2026.

Findings

Production code that breaks with SHA-256 repos

src/git-utils.ts:299 — getFileOidsUnderPath()

The regex [0-9a-f]{40} only matches SHA-1 OIDs. In a SHA-256 repo, git ls-files --stage returns 64-char OIDs, so all entries fail to match and an error is thrown.

const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
// Should be:
const regex = /^[0-9]+ ([0-9a-f]{40,64}) [0-9]+\t(.+)$/;

src/git-utils.ts:169-170 — determineBaseBranchHeadCommitOid()

The length checks assume 40-char SHA-1 OIDs. For SHA-256 repos, headOid and baseOid are 64 chars, so the condition is always false and the function silently returns undefined, falling back to server-side base SHA calculation.

headOid.length === 40 && baseOid.length === 40
// Should be:
(headOid.length === 40 || headOid.length === 64) &&
(baseOid.length === 40 || baseOid.length === 64)

Test coverage gaps

• src/git-utils.test.ts: All test SHAs are 40-char SHA-1. Need SHA-256 variants for getFileOidsUnderPath, determineBaseBranchHeadCommitOid, and getRef tests.
• src/testing-utils.ts: GITHUB_SHA: "0".repeat(40) — add a 64-char SHA-256 constant for use in SHA-256 test scenarios.
• src/upload-lib.test.ts: Hardcoded 40-char base_sha — add a 64-char variant.

Not affected

• upload-lib/types.ts, trap-caching.ts, overlay/caching.ts, database-upload.ts — SHAs are plain strings, no length validation
• caching-utils.ts, fingerprints.ts — use their own internal hashing, unrelated to Git OIDs

Plan

1. Fix getFileOidsUnderPath() regex: {40} → {40,64}
2. Fix determineBaseBranchHeadCommitOid() length checks to also accept 64
3. Add SHA-256 test cases for getFileOidsUnderPath
4. Add SHA-256 test case for determineBaseBranchHeadCommitOid
5. Add SHA-256 variants to getRef tests
6. Add SHA256_GITHUB_SHA constant to testing-utils.ts
7. Add SHA-256 upload payload variant to upload-lib.test.ts</issue_description>

Comments on the Issue (you are @copilot in this section)