octokit · gr2m · Mar 8, 2021 · Mar 8, 2021 · Mar 8, 2021
diff --git a/docs/codeScanning/listAlertsForRepo.md b/docs/codeScanning/listAlertsForRepo.md
@@ -15,7 +15,7 @@ this endpoint.
 
 The response includes a `most_recent_instance` object.
 This provides details of the most recent instance of this alert
-for the the default branch or for the specified Git reference
+for the default branch or for the specified Git reference
 (if you used `ref` in the request).
 
 ```js

diff --git a/docs/codeScanning/uploadSarif.md b/docs/codeScanning/uploadSarif.md
@@ -10,6 +10,11 @@ type: API method
 
 Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. You must use an access token with the `security_events` scope to use this endpoint. GitHub Apps must have the `security_events` write permission to use this endpoint.
 
+There are two places where you can upload code scanning results.
+
+- If you upload to a pull request, for example `--ref refs/pull/42/merge` or `--ref refs/pull/42/head`, then the results appear as alerts in a pull request check. For more information, see "[Triaging code scanning alerts in pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests)."
+- If you upload to a branch, for example `--ref refs/heads/my-branch`, then the results appear in the **Security** tab for your repository. For more information, see "[Managing code scanning alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)."
+
 You must compress the SARIF-formatted analysis data that you want to upload, using `gzip`, and then encode it as a Base64 format string. For example:
 
 ```
@@ -56,7 +61,8 @@ The SHA of the commit to which the analysis you are uploading relates.
 </td></tr>
 <tr><td>ref</td><td>yes</td><td>
 
-The full Git reference, formatted as `refs/heads/<branch name>`.
+The full Git reference, formatted as `refs/heads/<branch name>`,
+`refs/pull/<number>/merge`, or `refs/pull/<number>/head`.
 
 </td></tr>
 <tr><td>sarif</td><td>yes</td><td>

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -24,7 +24,7 @@
   "author": "Gregor Martynus (https://twitter.com/gr2m)",
   "license": "MIT",
   "dependencies": {
-    "@octokit/types": "^6.12.1",
+    "@octokit/types": "^6.12.2",
     "deprecation": "^2.3.1"
   },
   "devDependencies": {

diff --git a/scripts/update-endpoints/generated/endpoints.json b/scripts/update-endpoints/generated/endpoints.json
@@ -11391,7 +11391,7 @@
     "url": "/repos/{owner}/{repo}/code-scanning/alerts",
     "isDeprecated": false,
     "deprecationDate": null,
-    "description": "Lists all open code scanning alerts for the default branch (usually `main`\nor `master`). You must use an access token with the `security_events` scope to use\nthis endpoint. GitHub Apps must have the `security_events` read permission to use\nthis endpoint.\n\nThe response includes a `most_recent_instance` object.\nThis provides details of the most recent instance of this alert\nfor the the default branch or for the specified Git reference\n(if you used `ref` in the request).",
+    "description": "Lists all open code scanning alerts for the default branch (usually `main`\nor `master`). You must use an access token with the `security_events` scope to use\nthis endpoint. GitHub Apps must have the `security_events` read permission to use\nthis endpoint.\n\nThe response includes a `most_recent_instance` object.\nThis provides details of the most recent instance of this alert\nfor the default branch or for the specified Git reference\n(if you used `ref` in the request).",
     "documentationUrl": "https://docs.github.com/rest/reference/code-scanning#list-code-scanning-alerts-for-a-repository",
     "previews": [],
     "headers": [],
@@ -11878,7 +11878,7 @@
     "url": "/repos/{owner}/{repo}/code-scanning/sarifs",
     "isDeprecated": false,
     "deprecationDate": null,
-    "description": "Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. You must use an access token with the `security_events` scope to use this endpoint. GitHub Apps must have the `security_events` write permission to use this endpoint.\n\nYou must compress the SARIF-formatted analysis data that you want to upload, using `gzip`, and then encode it as a Base64 format string. For example:\n\n```\ngzip -c analysis-data.sarif | base64\n```\n\nSARIF upload supports a maximum of 1000 results per analysis run. Any results over this limit are ignored. Typically, but not necessarily, a SARIF file contains a single run of a single tool. If a code scanning tool generates too many results, you should update the analysis configuration to run only the most important rules or queries.\n\nThe `202 Accepted`, response includes an `id` value.\nYou can use this ID to check the status of the upload by using this for the `/sarifs/{sarif_id}` endpoint.\nFor more information, see \"[Get information about a SARIF upload](/rest/reference/code-scanning#get-information-about-a-sarif-upload).\"",
+    "description": "Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. You must use an access token with the `security_events` scope to use this endpoint. GitHub Apps must have the `security_events` write permission to use this endpoint.\n\nThere are two places where you can upload code scanning results.\n - If you upload to a pull request, for example `--ref refs/pull/42/merge` or `--ref refs/pull/42/head`, then the results appear as alerts in a pull request check. For more information, see \"[Triaging code scanning alerts in pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests).\"\n - If you upload to a branch, for example `--ref refs/heads/my-branch`, then the results appear in the **Security** tab for your repository. For more information, see \"[Managing code scanning alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository).\"\n\nYou must compress the SARIF-formatted analysis data that you want to upload, using `gzip`, and then encode it as a Base64 format string. For example:\n\n```\ngzip -c analysis-data.sarif | base64\n```\n\nSARIF upload supports a maximum of 1000 results per analysis run. Any results over this limit are ignored. Typically, but not necessarily, a SARIF file contains a single run of a single tool. If a code scanning tool generates too many results, you should update the analysis configuration to run only the most important rules or queries.\n\nThe `202 Accepted`, response includes an `id` value.\nYou can use this ID to check the status of the upload by using this for the `/sarifs/{sarif_id}` endpoint.\nFor more information, see \"[Get information about a SARIF upload](/rest/reference/code-scanning#get-information-about-a-sarif-upload).\"",
     "documentationUrl": "https://docs.github.com/rest/reference/code-scanning#upload-an-analysis-as-sarif-data",
     "previews": [],
     "headers": [],
@@ -11924,7 +11924,7 @@
       },
       {
         "name": "ref",
-        "description": "The full Git reference, formatted as `refs/heads/<branch name>`.",
+        "description": "The full Git reference, formatted as `refs/heads/<branch name>`,\n`refs/pull/<number>/merge`, or `refs/pull/<number>/head`.",
         "in": "BODY",
         "type": "string",
         "required": true,

diff --git a/src/generated/method-types.ts b/src/generated/method-types.ts
@@ -2405,7 +2405,7 @@ export type RestEndpointMethods = {
      *
      * The response includes a `most_recent_instance` object.
      * This provides details of the most recent instance of this alert
-     * for the the default branch or for the specified Git reference
+     * for the default branch or for the specified Git reference
      * (if you used `ref` in the request).
      */
     listAlertsForRepo: {
@@ -2471,6 +2471,10 @@ export type RestEndpointMethods = {
     /**
      * Uploads SARIF data containing the results of a code scanning analysis to make the results available in a repository. You must use an access token with the `security_events` scope to use this endpoint. GitHub Apps must have the `security_events` write permission to use this endpoint.
      *
+     * There are two places where you can upload code scanning results.
+     *  - If you upload to a pull request, for example `--ref refs/pull/42/merge` or `--ref refs/pull/42/head`, then the results appear as alerts in a pull request check. For more information, see "[Triaging code scanning alerts in pull requests](/github/finding-security-vulnerabilities-and-errors-in-your-code/triaging-code-scanning-alerts-in-pull-requests)."
+     *  - If you upload to a branch, for example `--ref refs/heads/my-branch`, then the results appear in the **Security** tab for your repository. For more information, see "[Managing code scanning alerts for your repository](/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository)."
+     *
      * You must compress the SARIF-formatted analysis data that you want to upload, using `gzip`, and then encode it as a Base64 format string. For example:
      *
      * ```