Pull Request head sha not correct

[lawndoc]

Describe the bug
When triggered by pull_request, both the GITHUB_REF_NAME and GITHUB_SHA default variables will reference the last merge commit of the pull request merge branch rather than the actual last commit to the head branch (see documentation). This causes pull request runs to scan 0 commits most of the time (see screenshots).

To Reproduce
Steps to reproduce the behavior:

1. Create a branch in a repo with this workflow set up
2. Create any number of regular commits in the repo
3. Create a pull request
4. Compare the last commit hash to the head commit hash used and check the number of commits scanned

Expected behavior
Gitleaks should be scanning from the last commit of the head branch

Screenshots
Workflow run

SHA of last commit on head branch that triggered the above workflow

Additional context
According to the documentation linked above, we should be able to get what we need from github.event.pull_request.head.sha, but it will probably need to be passed into the script somehow.

[lawndoc]

I'll work on this one in my fork

[lawndoc]

I found a way to fix this with minimal modification. In entrypoint.sh, we can change the head_sha variable to:

head_sha=$(git rev-list --no-merges -n 1 refs/remotes/pull/${GITHUB_REF_NAME})

which will grab the most recent commit from the head branch while excluding merge commits.

[lawndoc]

Yep, looks like that fixed it: