From 37f05fdd97ef69a3a8f2033b45fe996c41030f51 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Sun, 31 May 2026 23:40:40 +0000
Subject: [PATCH] fix(codeql): add SARIF upload step for GitHub Security tab
 (#1044)

- Add github/codeql-action/upload-sarif@v3 step after analysis
- Grant security-events: write permission for upload API
- Update workflow comments to reflect public-repo free scanning
- SARIF path matches existing analyze output: sarif-results/<lang>/

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 3db01cdc1..0a772a2da 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -8,10 +8,10 @@ name: CodeQL
 # scanned. This workflow fills that gap by explicitly scanning both
 # branches on push and PR.
 #
-# Runs on ubuntu-latest (GHA-hosted — public repo, free). GHAS is NOT
-# enabled on this repo, so results are not uploaded to the Security
-# tab — the scan fails the PR check on findings, and the SARIF is
-# kept as a workflow artifact for triage.
+# Runs on ubuntu-latest (GHA-hosted — public repo, free). SARIF is
+# uploaded to the Security tab via upload-sarif, and also kept as a
+# workflow artifact for triage. The scan still fails the PR check on
+# findings.
 
 on:
   push:
@@ -38,7 +38,7 @@ concurrency:
 permissions:
   actions: read
   contents: read
-  # No security-events: write — we don't call the upload API.
+  security-events: write
 
 jobs:
   analyze:
@@ -84,11 +84,21 @@ jobs:
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           category: "/language:${{ matrix.language }}"
-          # upload: never — GHAS isn't enabled on this repo, so the
-          # upload API 403s. Write SARIF locally instead.
+          # upload: never — we use a separate upload-sarif step so the
+          # upload runs even when findings fail the job.
           upload: never
           output: sarif-results/${{ matrix.language }}
 
+      - name: Upload SARIF to GitHub Security tab
+        # Uploads SARIF to the code scanning API so findings appear in
+        # the Security tab (requires GHAS or public repo). Runs before
+        # parse so the upload succeeds even when findings fail the job.
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif-results/${{ matrix.language }}/
+          category: codeql-${{ matrix.language }}
+
       - name: Parse SARIF + fail on findings
         # The analyze step writes <database>.sarif into the output
         # directory — database name is the short CodeQL lang id, not
-- 
2.52.0