diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3db01cdc1..0a772a2da 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,10 +8,10 @@ name: CodeQL # scanned. This workflow fills that gap by explicitly scanning both # branches on push and PR. # -# Runs on ubuntu-latest (GHA-hosted — public repo, free). GHAS is NOT -# enabled on this repo, so results are not uploaded to the Security -# tab — the scan fails the PR check on findings, and the SARIF is -# kept as a workflow artifact for triage. +# Runs on ubuntu-latest (GHA-hosted — public repo, free). SARIF is +# uploaded to the Security tab via upload-sarif, and also kept as a +# workflow artifact for triage. The scan still fails the PR check on +# findings. on: push: @@ -38,7 +38,7 @@ concurrency: permissions: actions: read contents: read - # No security-events: write — we don't call the upload API. + security-events: write jobs: analyze: @@ -84,11 +84,21 @@ jobs: uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: category: "/language:${{ matrix.language }}" - # upload: never — GHAS isn't enabled on this repo, so the - # upload API 403s. Write SARIF locally instead. + # upload: never — we use a separate upload-sarif step so the + # upload runs even when findings fail the job. upload: never output: sarif-results/${{ matrix.language }} + - name: Upload SARIF to GitHub Security tab + # Uploads SARIF to the code scanning API so findings appear in + # the Security tab (requires GHAS or public repo). Runs before + # parse so the upload succeeds even when findings fail the job. + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: sarif-results/${{ matrix.language }}/ + category: codeql-${{ matrix.language }} + - name: Parse SARIF + fail on findings # The analyze step writes .sarif into the output # directory — database name is the short CodeQL lang id, not