PRs from forks cannot upload reports

[daniel-beck]

Originally reported in https://groups.google.com/g/jenkinsci-dev/c/OMe_zN8-Tkc/m/xuzonAElAgAJ

It probably happens because it's a PR from a fork and the GITHUB_TOKEN used only has read permission for SecurityEvents.

[daniel-beck]

Documentation seems to be https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions

And the possible answer why they can do what I can't is because they seem to use an undocumented API: https://github.com/github/codeql-action/blob/d7ad71d8034d228d5c8076dc7f058905e272a3fd/lib/upload-lib.js#L102-L104

They payload being uploaded is also slightly different: https://github.com/github/codeql-action/blob/75f07e7ab2ee63cba88752d8c696324e4df67466/lib/upload-lib.js#L207-L256

[daniel-beck]

Tried it with the GitHub-provided action but it does not compute the commit_oid parameter correctly.

Submitted https://support.github.com/ticket/personal/0/1517478

[daniel-beck]

It looks like github/codeql-action#944 is basically the same issue, except the GITHUB_WORKSPACE is not a wrong repo (which will fail the upload), but instead no GitHub repo at all. When every checkout in this workflow has a path, it behaves as described there.

[daniel-beck]

Filed github/codeql-action#952

[offa]

I get the error too, re-running usually works though.

curl: (22) The requested URL returned error: 403 
Failed to upload results

[jglick]

Do repositories already using the workflow from template need to make any changes other than perhaps accepting Dependabot action updates?

[jglick]

jenkinsci/mercurial-plugin#200 I guess?

[daniel-beck]

jenkinsci/mercurial-plugin#200 I guess?

Yes, per https://github.com/jenkins-infra/jenkins-security-scan/releases/tag/v2 and https://groups.google.com/g/jenkinsci-dev/c/OMe_zN8-Tkc/m/gS9m62CiAwAJ.