Favor GITHUB_WORKFLOW_REF

Introduced with GHES 3.9:
https://docs.github.com/en/[email protected]/actions/learn-github-actions/variables

GITHUB_WORKFLOW_REF means that actions don't need to use `actions: read`
to determine the path to the running workflow.

Author: jsoref

CHANGELOG.md

@@ -6,7 +6,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Users of GHES 3.9+ and GHEC will no longer need to include `actions: read` permissions to use `upload-sarif` in private repositories.
 
 ## 3.24.3 - 15 Feb 2024
 

lib/api-client.js

@@ -119,6 +119,18 @@ export async function getGitHubVersion(): Promise<GitHubVersion> {
  * Get the path of the currently executing workflow relative to the repository root.
  */
 export async function getWorkflowRelativePath(): Promise<string> {
+  const workflow_ref = process.env["GITHUB_WORKFLOW_REF"];
+  // When GHES 3.8 support is removed, this if guard and its corresponding
+  // fallback code can be removed.
+  if (workflow_ref !== undefined) {
+    const workflowRegExp = new RegExp("^[^/]+/[^/]+/(.*?)@.*");
+    const match = workflow_ref.match(workflowRegExp);
+    if (match) {
+      return new Promise((resolve) => {
+        resolve(match[1]);
+      });
+    }
+  }
   const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
   const owner = repo_nwo[0];
   const repo = repo_nwo[1];