SARIF upload gives "Resource not accessible by integration" error

[kbreit-insight]

A workflow runs a KICS scan that should output to GitHub Advanced Security using SARIF. It works until it gets to upload where it fails.

---
on:
  workflow_dispatch:
permissions:
  actions: read
  contents: read
  issues: read
  pull-requests: read
engine:
  id: copilot
  model: claude-opus-4-6
network:
  allowed:
    - defaults
    - python
    - node
    - go
    - java
tools:
  github:
    toolsets: [default]
  edit:
  bash: true
  web-fetch:
  web-search:
steps:
  - name: Checkout repository
    uses: actions/checkout@v6
    with:
      persist-credentials: false
  - name: Create artifact directory
    run: mkdir -p artifacts
  - name: KICS Github Action
    uses: Checkmarx/kics-github-action@v1.7.0
    with:
      path: .
      output_path: artifacts
      output_formats: json,sarif
      ignore_on_exit: results
  - name: Upload KICS results
    uses: actions/upload-artifact@v7
    with:
      name: kics-results
      path: artifacts/results.json
  - name: Flatten KICS findings for agent
    run: |
      python3 -c "
      import json
      SEVERITY_MAP = {'critical': 'error', 'high': 'error', 'medium': 'warning', 'low': 'note', 'info': 'note', 'trace': 'note'}
      data = json.load(open('artifacts/results.json'))
      findings = []
      for q in data.get('queries', []):
        for f in q.get('files', []):
          findings.append({
            'file': f['file_name'],
            'line': f['line'],
            'severity': SEVERITY_MAP.get(q['severity'].lower(), 'note'),
            'message': q['query_name'] + ': ' + q['description']
          })
      print(json.dumps(findings, indent=2))
      " > artifacts/findings.json
safe-outputs:
  create-issue:
  create-agent-session:
  create-discussion:
  update-discussion:
  close-discussion:
  close-issue:
  close-pull-request:
  add-comment:
  create-pull-request:
  create-pull-request-review-comment:
  submit-pull-request-review:
  reply-to-pull-request-review-comment:
  resolve-pull-request-review-thread:
  create-code-scanning-alert:
    # github-token: ${{ secrets.GHAS_TOKEN }}
    max: 10000
  add-labels:
  remove-labels:
  add-reviewer:
  assign-milestone:
  assign-to-agent:
  assign-to-user:
  unassign-from-user:
  update-issue:
  update-pull-request:
  push-to-pull-request-branch:
  upload-asset:
  update-release:
  link-sub-issue:
  hide-comment:
  set-issue-type:
  update-project:
  autofix-code-scanning-alert:
  mark-pull-request-as-ready-for-review:
---

# kics-remediation

Read `artifacts/findings.json` — it contains a flat JSON array where each element has `file`, `line`, `severity`, and `message`. Call `create_code_scanning_alert` once per element, one at a time sequentially (not in parallel), passing those four fields directly. Wait for each call to succeed before proceeding to the next. After all alerts are uploaded, read `artifacts/results.json` to analyze the full results and create a tracking issue. Then create a new branch and perform remediation on findings whose `file` path does NOT start with `.github/` — do not modify any files under `.github/` in the PR (mention those findings in the tracking issue as requiring manual attention). Open a pull request with appropriate labels. NEVER automatically merge the pull request.

<!--
## TODO: Customize this workflow

The workflow has been generated based on your selections. Consider adding:

- [ ] More specific instructions for the AI
- [ ] Error handling requirements
- [ ] Output format specifications
- [ ] Integration with other workflows
- [ ] Testing and validation steps

## Configuration Summary

- **Trigger**: Manual trigger
- **AI Engine**: copilot
- **Tools**: github, edit, bash, web-fetch, web-search
- **Safe Outputs**: create-issue, create-agent-session, create-discussion, update-discussion, close-discussion, close-issue, close-pull-request, add-comment, create-pull-request, create-pull-request-review-comment, submit-pull-request-review, reply-to-pull-request-review-comment, resolve-pull-request-review-thread, create-code-scanning-alert, add-labels, remove-labels, add-reviewer, assign-milestone, assign-to-agent, assign-to-user, unassign-from-user, update-issue, update-pull-request, push-to-pull-request-branch, upload-asset, update-release, link-sub-issue, hide-comment, set-issue-type, update-project, create-project, create-project-status-update, autofix-code-scanning-alert, mark-pull-request-as-ready-for-review
- **Network Access**: ecosystem

## Next Steps

1. Review and customize the workflow content above
2. Remove TODO sections when ready
3. Run `gh aw compile` to generate the GitHub Actions workflow
4. Test the workflow with a manual trigger or appropriate event
-->

Run github/codeql-action/upload-sarif@0e9f55954318745b37b7933c693bc093f7336125
Warning: Failed to gather information for telemetry: Resource not accessible by integration - https://docs.github.com/rest/actions/workflow-runs#get-a-workflow-run. Will skip sending status report.
Post-processing sarif files: ["/tmp/gh-aw/sarif/code-scanning-alert.sarif"]
Validating /tmp/gh-aw/sarif/code-scanning-alert.sarif
Adding fingerprints to SARIF file. See https://docs.github.com/en/code-security/reference/code-scanning/sarif-support-for-code-scanning#data-for-preventing-duplicated-alerts for more information.
(node:12486) [DEP0169] DeprecationWarning: `url.parse()` behavior is not standardized and prone to errors that have security implications. Use the WHATWG URL API instead. CVEs are not issued for `url.parse()` vulnerabilities.
(Use `node --trace-deprecation ...` to show where the warning was created)
Error: Resource not accessible by integration - https://docs.github.com/rest/actions/workflow-runs#get-a-workflow-run
Warning: Failed to gather information for telemetry: Resource not accessible by integration - https://docs.github.com/rest/actions/workflow-runs#get-a-workflow-run. Will skip sending status report.

[pelikhan]

@copilot could you ask the agentic-workflows agent to investigate this failure?