Use the secret API to upload SARIF files

[chungyc]

This action uses the documented API to upload SARIF files. This requires write permission for security-events to upload analysis results, including for pull requests. Despite much of the documentation strongly suggesting that code scanning should work for pull requests from forked repositories, it does not because GitHub will not allow higher than read access for security-events for these.

github/codeql-action/upload-sarif somehow manages to upload SARIF files to pull requests without write permission for security-events. It turns out that it uses a secret, undocumented API to upload SARIF files,¹ which apparently does not require the permission for uploading SARIF files to pull requests.

Consider reverse engineering the secret API and using it to upload SARIF files instead. Alternatively, it would be great if GitHub had the same behavior for pull requests with the documented API.

Footnotes

1. Specifically, code-scanning/analysis instead of code-scanning/sarifs. ↩

[chungyc]

I'm asking about having the documented API have the same behavior at https://github.com/orgs/community/discussions/54013

[chungyc]

According to a new reply on https://github.com/orgs/community/discussions/54013, the documented API now behaves the same as the secret API in terms of permissions, so uploading scan results for a pull request against another's repository now works. This has been confirmed with haskell-beginners-2022/exercises#109