This issue only happens in attestations done from PRs in Github actions. Since Github creates a temporary merge commit for the PR, the attestation reports it as the commit at HEAD, instead of the latest commit in the PR (the actual branch head).
This is a known feature / issue in Github and probably others, well explained here https://www.codegenes.net/blog/get-commit-sha-in-github-actions/.
The result is that attestations end up being referred to ghost commits in the referral graph. This is specially relevant when users also create attestations from agentic workflows: local attestations don't match any PR because their commit SHAs are different (and they shouldn't)
This issue only happens in attestations done from PRs in Github actions. Since Github creates a temporary merge commit for the PR, the attestation reports it as the commit at HEAD, instead of the latest commit in the PR (the actual branch head).
This is a known feature / issue in Github and probably others, well explained here https://www.codegenes.net/blog/get-commit-sha-in-github-actions/.
The result is that attestations end up being referred to ghost commits in the referral graph. This is specially relevant when users also create attestations from agentic workflows: local attestations don't match any PR because their commit SHAs are different (and they shouldn't)