Code scanning alert doesn't find file in repository

[adangel]

When uploading the SARIF file to code-ql, the file in the repository is not found:

Preview unavailable

Sorry, we couldn't find this file in the repository.

---

Workaround

Add the following step before upload-sarif:

      - name: Relativize SARIF
        shell: bash
        run: |
          jq ".runs[0].results[].locations[].physicalLocation.artifactLocation.uri |= sub(\"${GITHUB_WORKSPACE}/\"; \"\")" pmd-report.sarif > pmd-report2.sarif
          mv -f pmd-report2.sarif pmd-report.sarif

[adangel]

It seems, that the upload-sarif actions actually has a parameter for this: https://github.com/github/codeql-action/blob/249c7ffce1bd9ae683a22f2e0b82253a31562477/upload-sarif/action.yml#L12-L15

However, checkout_path doesn't seem to be working as expected... so we simply relativize the paths ourselves (as we did already for the build annotations).