[Schema Inaccuracy] code_scanning_alert fixed webhook: fixed_at typed as null instead of date-time string #6058
Description
Expected
In the code_scanning_alert webhook event with action: "fixed", the alert.fixed_at property should be typed as a nullable ISO 8601 date-time string:
fixed_at:
type: string
format: date-time
nullable: true
description: >-
The time that the alert was fixed in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.This would be consistent with how fixed_at is already defined on the REST API endpoint GET /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}, where it is correctly typed as string or null with format: date-time.
Actual
The webhook schema for code_scanning_alert (action fixed) defines fixed_at with only type: null, meaning it can never contain a value — only null or absent.
Reproduction Steps
- Configure a repository webhook (or GitHub App) to receive
code_scanning_alertevents. - Trigger a
code_scanning_alertevent withaction: "fixed"(e.g., fix a CodeQL finding and merge to the default branch). - Inspect the webhook payload. The
alert.fixed_atfield contains an ISO 8601 datetime string, e.g."2025-01-15T10:30:00Z". - Attempt to validate this payload against a client generated from the OpenAPI spec. Validation fails because the schema only permits
nullforfixed_at.
Impact
Any strongly-typed client generated from this spec (e.g., githubkit for Python, Octokit for TypeScript) will reject valid code_scanning_alert fixed webhook payloads because fixed_at does not conform to the null-only schema.
Reference
- REST API endpoint schema (correct): https://docs.github.com/en/rest/code-scanning/code-scanning#get-a-code-scanning-alert
- Webhook event docs: https://docs.github.com/en/webhooks/webhook-events-and-payloads#code_scanning_alert