Closed daniel-beck closed 2 years ago
Documentation seems to be https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions
And the possible answer why they can do what I can't is because they seem to use an undocumented API: https://github.com/github/codeql-action/blob/d7ad71d8034d228d5c8076dc7f058905e272a3fd/lib/upload-lib.js#L102-L104
They payload being uploaded is also slightly different: https://github.com/github/codeql-action/blob/75f07e7ab2ee63cba88752d8c696324e4df67466/lib/upload-lib.js#L207-L256
Tried it with the GitHub-provided action but it does not compute the commit_oid
parameter correctly.
Submitted https://support.github.com/ticket/personal/0/1517478
It looks like https://github.com/github/codeql-action/issues/944 is basically the same issue, except the GITHUB_WORKSPACE
is not a wrong repo (which will fail the upload), but instead no GitHub repo at all. When every checkout in this workflow has a path
, it behaves as described there.
I get the error too, re-running usually works though.
curl: (22) The requested URL returned error: 403
Failed to upload results
Do repositories already using the workflow from template need to make any changes other than perhaps accepting Dependabot action updates?
Originally reported in https://groups.google.com/g/jenkinsci-dev/c/OMe_zN8-Tkc/m/xuzonAElAgAJ
It probably happens because it's a PR from a fork and the GITHUB_TOKEN used only has read permission for SecurityEvents.