jsoref
commented
8 months ago Note: It'd be vaguely useful if the runner didn't actually give out a token for security-events if it wasn't allowed to because there wasn't a license -- that'd at least enable users to quickly recognize that there's a problem by looking at the top of the log. But that's outside the scope of this repository.
As noted in https://github.com/github/codeql-action/pull/2121#discussion_r1483012019 and https://github.com/github/codeql-action/issues/2117#issuecomment-1934863805, check-spelling has special code to handle the case where a user thinks they can use
security-events: ...to talk to sarif reporting, but they're in a private repository and that repository doesn't have GitHub Advanced Security enabled:https://github.com/check-spelling/check-spelling/blob/26b46adbdebd5dd0b34c7155113d50c40f43fb22/unknown-words.sh#L1610-L1618 https://github.com/check-spelling/check-spelling/blob/26b46adbdebd5dd0b34c7155113d50c40f43fb22/unknown-words.sh#L1122-L1126
Which results in this (more or less):
Check Spelling: .github/workflows/spelling.yml#L106 Unsupported configuration: use_sarif needs GitHub Advanced Security to be enabled - see https://docs.github.com/get-started/learning-about-github/about-github-advanced-security. (unsupported-configuration)
The codeql-action should have some code to handle this as well.
Ideally it'd do it in a way that is not fatal to actions/workflows that consume it.
check-spelling has to carefully decide not to call github/codeql-action today if it figures out that it'll fail, otherwise the action/workflow die because of this fault.