diff --git a/app/server/verify_workflow.go b/app/server/verify_workflow.go
index d0e2ceb7..a936e980 100644
--- a/app/server/verify_workflow.go
+++ b/app/server/verify_workflow.go
@@ -263,10 +263,16 @@ func (g *githubVerifier) contains(owner, repo, hash string) (bool, error) {
 	if contains {
 		return true, nil
 	}
-	// github/codeql-action has commits from their v1 release branch that don't show up in the default branch
+	// github/codeql-action has commits from their v1 and v2 release branch that don't show up in the default branch
 	// this isn't the best approach for now, but theres no universal "does this commit belong to this repo" call
 	if owner == "github" && repo == "codeql-action" {
-		contains, err = g.branchContains("releases/v1", owner, repo, hash)
+		contains, err = g.branchContains("releases/v2", owner, repo, hash)
+		if err != nil {
+			return false, err
+		}
+		if !contains {
+			contains, err = g.branchContains("releases/v1", owner, repo, hash)
+		}
 	}
 	return contains, err
 }
diff --git a/app/server/verify_workflow_test.go b/app/server/verify_workflow_test.go
index f2751044..7a185423 100644
--- a/app/server/verify_workflow_test.go
+++ b/app/server/verify_workflow_test.go
@@ -115,13 +115,14 @@ func (s suffixStubTripper) RoundTrip(r *http.Request) (*http.Response, error) {
 	}, nil
 }
 
-func Test_githubVerifier_contains(t *testing.T) {
+func Test_githubVerifier_contains_codeql_v1(t *testing.T) {
 	t.Parallel()
 	httpClient := http.Client{
 		Transport: suffixStubTripper{
 			responsePaths: map[string]string{
 				"codeql-action":   "./testdata/api/github/repository.json",     // api call which finds the default branch
 				"main...somehash": "./testdata/api/github/divergent.json",      // doesnt belong to default branch
+				"v2...somehash":   "./testdata/api/github/divergent.json",      // doesnt belong to releases/v2 branch
 				"v1...somehash":   "./testdata/api/github/containsCommit.json", // belongs to releases/v1 branch
 			},
 		},
@@ -140,6 +141,31 @@ func Test_githubVerifier_contains(t *testing.T) {
 	}
 }
 
+func Test_githubVerifier_contains_codeql_v2(t *testing.T) {
+	t.Parallel()
+	httpClient := http.Client{
+		Transport: suffixStubTripper{
+			responsePaths: map[string]string{
+				"codeql-action":   "./testdata/api/github/repository.json",     // api call which finds the default branch
+				"main...somehash": "./testdata/api/github/divergent.json",      // doesnt belong to default branch
+				"v2...somehash":   "./testdata/api/github/containsCommit.json", // belongs to releases/v2 branch
+			},
+		},
+	}
+	client := github.NewClient(&httpClient)
+	gv := githubVerifier{
+		ctx:    context.Background(),
+		client: client,
+	}
+	got, err := gv.contains("github", "codeql-action", "somehash")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if got != true {
+		t.Errorf("expected to contain hash, but it didnt")
+	}
+}
+
 func FuzzVerifyWorkflow(f *testing.F) {
 	testfiles := []string{
 		"testdata/workflow-valid.yml",