Upload security SARIF files when repo is public

GitHub only allows SARIF files to be uploaded for paid tier GitHub users
or if the repo is public. Add logic to prevent SARIF upload attempt when
repo is private. Upload SARIF file as artifact.

Author: sbreker

.github/workflows/security.yml

@@ -34,7 +34,14 @@ jobs:
         with:
           go-version-file: go.mod
           check-latest: true
-          upload-sarif: true
+          upload-sarif: ${{ !github.event.repository.private }}
+      - name: Upload govulncheck SARIF artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: govulncheck-sarif
+          path: '**/*.sarif'
+          if-no-files-found: ignore
 
   trivy:
     name: Trivy repo scan
@@ -57,8 +64,16 @@ jobs:
           # Include all severities for testing - Consider removing UNKNOWN,LOW,MEDIUM when enforcing.
           severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
           exit-code: 1 # Remove to enforce failure on high/critical
-      - name: Upload SARIF
+      - name: Upload Trivy SARIF artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sarif
+          path: trivy-fs.sarif
+          if-no-files-found: ignore
+      - name: Upload SARIF to Code Scanning
+        if: ${{ !github.event.repository.private }}
         uses: github/codeql-action/upload-sarif@v4
-        if: steps.trivy_scan.outcome == 'failure'
         with:
           sarif_file: trivy-fs.sarif
+          wait-for-processing: true