Pull request decoration using Checks API is based on commits, not the pull request number. Some build services such as Travis CI analyze the merge commit (a commit of merging the branch onto its target). In such builds the sha1 written to the scanner report will not match the head of the PR. The merge commit sha1 is not useful for decoration, because it won't be visible on the pull request.
- If the sha1 in the scanner report matches the head of the PR, then decorate that sha1
- If the sha1 in the scanner report matches the merge sha1 of the PR, then decorate the sha1 of the head of the PR
- Otherwise do not decorate
Note: this simple algorithm doesn't handle well (skip decoration) in the case when a new commit was pushed to the PR, or when history was rewritten. We could probably do better, and improve on this later.