BUG: SARIF upload not requested but ran and failed anyway

[pllim]

Hello. Our workflow is very basic:

https://github.com/scientific-python/action-check-changelogfile/blob/main/.github/workflows/codeql-analysis.yml

We never enabled anything related to SARIF. But it fails on main (but not on PR) with the following error:

Uploading results
  Processing sarif files: ["/home/runner/work/action-check-changelogfile/results/python.sarif"]
  Validating /home/runner/work/action-check-changelogfile/results/python.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file...
  Uploading results
  Warning: Resource not accessible by integration
  Error: Resource not accessible by integration
  Warning: Resource not accessible by integration

Example log: https://github.com/scientific-python/action-check-changelogfile/actions/runs/13616676328/job/38060645000

Updating to latest bundle release did not help. How do we disable this SARIF upload? Hope you can advise. Thank you.

[mbg]

Hi @pllim 👋🏻

SARIF is the format that CodeQL uses to represent analysis results. It is a normal part of CodeQL operation to produce a SARIF file and upload this so that you can view results of the analysis.

I am not sure why you are getting the "Resource not accessible by integration" errors for workflows on main. I can see that they used to work a year ago, but are now failing each time with that error.

As a first thing to check, could you explicitly add the necessary workflow permissions to your workflow file to see if this resolves the issue:

permissions:
  security-events: write
  actions: read
  contents: read

[pllim]

Thank you! The permissions fixed my failure.