Skip to content

Commit ad79651

Browse files
fix: use cross-repo SARIF upload to target cq-demo-app repos
The upload-sarif@v4 action was uploading SARIF to the scanner repo instead of the individual cq-demo-app repos. Changed to use gh api cross-repo upload pattern so findings appear in each demo app's Security/Code Scanning tab. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent ef80994 commit ad79651

1 file changed

Lines changed: 20 additions & 4 deletions

File tree

.github/workflows/code-quality-scan.yml

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,25 @@ jobs:
2727
VALIDATE_ALL_CODEBASE: true
2828
SARIF_REPORTER: true
2929

30-
- name: Upload SARIF
31-
uses: github/codeql-action/upload-sarif@v4
30+
- name: Upload SARIF artifact
3231
if: always()
32+
uses: actions/upload-artifact@v4
3333
with:
34-
sarif_file: megalinter-reports/megalinter-report.sarif
35-
category: code-quality-scan/${{ matrix.app }}
34+
name: megalinter-sarif-${{ matrix.app }}
35+
path: megalinter-reports/megalinter-report.sarif
36+
37+
- name: Upload SARIF to target repo
38+
if: always() && hashFiles('megalinter-reports/megalinter-report.sarif') != ''
39+
env:
40+
GH_TOKEN: ${{ secrets.ORG_ADMIN_TOKEN }}
41+
run: |
42+
SARIF_CONTENT=$(gzip -c megalinter-reports/megalinter-report.sarif | base64 -w0)
43+
COMMIT_SHA=$(gh api repos/devopsabcs-engineering/cq-demo-app-${{ matrix.app }}/commits/main --jq '.sha')
44+
RESPONSE=$(gh api \
45+
--method POST \
46+
repos/devopsabcs-engineering/cq-demo-app-${{ matrix.app }}/code-scanning/sarifs \
47+
-f "commit_sha=$COMMIT_SHA" \
48+
-f "ref=refs/heads/main" \
49+
-f "sarif=$SARIF_CONTENT")
50+
echo "Upload response: $RESPONSE"
51+
echo "Uploaded MegaLinter SARIF to cq-demo-app-${{ matrix.app }}"

0 commit comments

Comments
 (0)