Hash collisions in GraphQL aliases in success lifecycle

<a href='https://hearts.dev/projects/3/users/smorrisods'><img width='50' alt='' align='right' src='https://hearts.dev/projects/3/users/smorrisods/tally.svg'></a>

I ran into an interesting failure in our CI pipeline when the `success` lifecycle of the `semantic-release/github` plugin ran the other day.  It didn't block our release but left the PR and issue updates incomplete. The error surfaced was:

```
Error: Field 'commit429fa6' has an argument conflict: {oid:"/"429fa60a84f7b59f9e4a20bfbea6b0fa977a1e1e/""} or {oid:"/"429fa667b462b60b31769e5268cfbc6835793c14/""}
```

This occurred due to two different commits within the release we were making sharing the same first 6 characters of their SHA (`429fa6`). It turns out the query builder, which builds the query to pass to GitHub's API, uses the first 6 characters of the SHA to create GraphQL aliases:

```js
commit${sha.slice(0, 6)}: object(oid: "${sha}") { ... }
```

This code is located at [Line 460 in `success.js`](https://github.com/semantic-release/github/blob/660b341b7fb0dfba1498d5f066a47e251efb5bca/lib/success.js#L460).

### Our CI pipeline failure

*   CI job: [ontario-design-system/actions/runs/19302965551/job/55202972489](https://github.com/ongov/ontario-design-system/actions/runs/19302965551/job/55202972489#step:7:5245)

### Background

This behaviour was introduced in PR #857, which rewrote the `success` lifecycle to use GitHub’s GraphQL API for better rate-limit handling.

The intention behind truncating to 6 characters was likely to keep aliases short and readable, but it introduces collisions in real-world repositories. As commits within a repo increase there is a higher likelihood of collision due to the birthday paradox effect.

In our case, we had a number of rapid changes occur and a larger than normal amount of commits generated that all wound up in the same release.

I ran some analysis on our repository of 2,724 commits (at the time of writing) and discovered we have two collision pairs of commits when considering the first 6 characters of the SHA.  The first collision pair contains two commits two years apart.  The offending collision pair that surfaced this issue contains two commits a few weeks apart.

### Impact

*   GraphQL requires unique aliases for fields with different arguments.
*   When two commits share the same prefix, the query fails with an argument conflict error from the GitHub GraphQL API.
*   This breaks the `success` lifecycle and prevents associated PRs from being fetched.

### Proposed Fix

Use a longer short SHA prefix, ≥7–12 chars.  GitHub uses 7 digit short SHAs, however the longer the slice the smaller the collision space is.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Hash collisions in GraphQL aliases in success lifecycle #1116

Our CI pipeline failure

Background

Impact

Proposed Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Hash collisions in GraphQL aliases in success lifecycle #1116

Description

Our CI pipeline failure

Background

Impact

Proposed Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions