.github/workflows/codeql.yml

@@ -8,10 +8,10 @@ name: CodeQL
 # scanned. This workflow fills that gap by explicitly scanning both
 # branches on push and PR.
 #
-# Runs on ubuntu-latest (GHA-hosted — public repo, free). GHAS is NOT
-# enabled on this repo, so results are not uploaded to the Security
-# tab — the scan fails the PR check on findings, and the SARIF is
-# kept as a workflow artifact for triage.
+# Runs on ubuntu-latest (GHA-hosted — public repo, free). SARIF is
+# uploaded to the Security tab via upload-sarif, and also kept as a
+# workflow artifact for triage. The scan still fails the PR check on
+# findings.
 
 on:
   push:
@@ -38,7 +38,7 @@ concurrency:
 permissions:
   actions: read
   contents: read
-  # No security-events: write — we don't call the upload API.
+  security-events: write
 
 jobs:
   analyze:
@@ -84,11 +84,21 @@ jobs:
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           category: "/language:${{ matrix.language }}"
-          # upload: never — GHAS isn't enabled on this repo, so the
-          # upload API 403s. Write SARIF locally instead.
+          # upload: never — we use a separate upload-sarif step so the
+          # upload runs even when findings fail the job.
           upload: never
           output: sarif-results/${{ matrix.language }}
 
+      - name: Upload SARIF to GitHub Security tab
+        # Uploads SARIF to the code scanning API so findings appear in
+        # the Security tab (requires GHAS or public repo). Runs before
+        # parse so the upload succeeds even when findings fail the job.
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif-results/${{ matrix.language }}/
+          category: codeql-${{ matrix.language }}
+
       - name: Parse SARIF + fail on findings
         # The analyze step writes <database>.sarif into the output
         # directory — database name is the short CodeQL lang id, not