[Schema Inaccuracy] code_scanning_alert closed_by_user webhook: fixed_at typed as null instead of date-time string #6081
Description
Expected
In the code_scanning_alert webhook event with action: "closed_by_user", the alert.fixed_at property should be typed as a nullable ISO 8601 date-time string:
fixed_at:
type: string
format: date-time
nullable: true
description: >-
The time that the alert was fixed in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.This would be consistent with how fixed_at is already defined on:
- The REST API endpoint
GET /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}, where it is correctly typed asstring or nullwithformat: date-time. - The
code_scanning_alertwebhook withaction: "fixed"(corrected in [Schema Inaccuracy] code_scanning_alert fixed webhook: fixed_at typed as null instead of date-time string #6058).
Actual
The webhook schema for code_scanning_alert (action closed_by_user) defines fixed_at with only type: null, meaning it can never contain a value — only null or absent.
Reproduction Steps
- Configure a repository webhook (or GitHub App) to receive
code_scanning_alertevents. - Have a code scanning alert that was previously auto-fixed (
state: "fixed",fixed_atpopulated with a datetime). - A user closes (dismisses) the alert via the GitHub UI, triggering a
code_scanning_alertwebhook withaction: "closed_by_user". - Inspect the webhook payload. The
alert.fixed_atfield contains an ISO 8601 datetime string, e.g."2026-03-04T17:53:59Z". - Attempt to validate this payload against a client generated from the OpenAPI spec. Validation fails because the schema only permits
nullforfixed_at.
Impact
Any strongly-typed client generated from this spec (e.g., githubkit for Python, Octokit for TypeScript) will reject valid code_scanning_alert closed_by_user webhook payloads because fixed_at does not conform to the null-only schema.
Reference
- Previous fix for the same field on the
fixedaction: [Schema Inaccuracy] code_scanning_alert fixed webhook: fixed_at typed as null instead of date-time string #6058 - REST API endpoint schema (correct): https://docs.github.com/en/rest/code-scanning/code-scanning#get-a-code-scanning-alert
- Webhook event docs: https://docs.github.com/en/webhooks/webhook-events-and-payloads#code_scanning_alert