X Tutup
Skip to content

Upload failed SARIF for risk assessments in init-post step#3519

Merged
mbg merged 15 commits intomainfrom
mbg/csra/upload-failed-sarif-artifact
Mar 10, 2026
Merged

Upload failed SARIF for risk assessments in init-post step#3519
mbg merged 15 commits intomainfrom
mbg/csra/upload-failed-sarif-artifact

Conversation

@mbg
Copy link
Member

@mbg mbg commented Feb 26, 2026
edited
Loading

This modifies the init-post action to upload a failed SARIF as a workflow artifact for risk assessments. This mirrors what we do for Code Scanning, except there we upload the SARIF to the API.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

  • Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

  • Other first-party - The changes impact other first-party analyses.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.

How did/will you validate this change?

  • Test repository - This change will be tested on a test repository before merging.
  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • Special considerations - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@mbg mbg self-assigned this Feb 26, 2026
@github-actions github-actions bot added the size/M Should be of average difficulty to review label Feb 26, 2026
@github-actions github-actions bot added size/L May be hard to review and removed size/M Should be of average difficulty to review labels Feb 27, 2026
@mbg mbg marked this pull request as ready for review February 27, 2026 12:56
@mbg mbg requested a review from a team as a code owner February 27, 2026 12:56
Copilot AI review requested due to automatic review settings February 27, 2026 12:56
Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the init-post action to upload failed SARIF files as workflow artifacts when running risk assessments, extending the existing failure diagnostics infrastructure to support a new analysis type.

Changes:

  • Refactored failed SARIF preparation logic to support both code scanning (uploaded to GitHub) and risk assessment (uploaded as artifacts)
  • Added isRiskAssessmentEnabled helper function to check if risk assessment analysis is enabled
  • Renamed run function to uploadFailureInfo in init-action-post-helper.ts to better reflect its purpose
  • Added comprehensive test coverage for risk assessment artifact upload scenarios

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/init-action-post.ts Updated function call from run to uploadFailureInfo
src/init-action-post-helper.ts Refactored failed SARIF logic: extracted prepareFailedSarif and generateFailedSarif, added maybeUploadFailedSarifArtifact for risk assessments, improved conditional logic
src/init-action-post-helper.test.ts Added tests for risk assessment artifact uploads (both diagnosticsExport and databaseExportDiagnostics paths) and edge cases
src/config-utils.ts Added isRiskAssessmentEnabled helper function for checking risk assessment analysis kind
lib/init-action-post.js Auto-generated JavaScript from TypeScript source (not reviewed)
Comments suppressed due to low confidence (1)

src/init-action-post-helper.ts:86

  • Typo in the comment: "can contains" should be "can contain" (singular, not plural).
 * Tries to prepare a SARIF file that can contains information about a failed analysis.

henrymercer
henrymercer reviewed Feb 27, 2026
View reviewed changes
Copy link
Contributor

@henrymercer henrymercer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. I like the way you've broken up the methods and the use of Result. Before merging, I'd like to see an end-to-end test similar to the "Submit SARIF after failure" PR check for risk assessment. CCR also has suggested some typo fixes.

This was referenced Mar 3, 2026
Closed
Open
henrymercer
henrymercer approved these changes Mar 10, 2026
View reviewed changes
Copy link
Contributor

@henrymercer henrymercer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to approve now to help avoid merge conflicts, providing we add the PR check as followup.

@mbg mbg added this pull request to the merge queue Mar 10, 2026
Merged via the queue into main with commit 87c3b7b Mar 10, 2026
247 of 248 checks passed
@mbg mbg deleted the mbg/csra/upload-failed-sarif-artifact branch March 10, 2026 12:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer henrymercer approved these changes

Assignees

@mbg mbg

Labels

size/L May be hard to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbg @henrymercer
X Tutup