codeql/upload-sarif@v3 action failed: Resource not accessible by integration - missing `actions: read`

[SPodjasek]

TL;DR

When you'r facing this issue in private repository please add

permissions:
  actions: read

to your workflow, or wait until this PR gets merged:

Fixed in

Preview Give feedback

1. Favor GITHUB_WORKFLOW_REF over using actions: read to calculate the workflow path #2126
   +0

---

I'm opening this issue as requested in #1806

When trying to upload sarif file produced by Docker Scout we get: Resource not accessible by integration - despite that security-events permission is set to write.

Detailed workflow run logs are below. I've stripped output from scout as I believe it's irrelevant.

Logs

2024-02-02T22:03:48.1355639Z Requested labels: ubuntu-latest
2024-02-02T22:03:48.1355934Z Job defined at: ....
2024-02-02T22:03:48.1356154Z Reusable workflow chain:
2024-02-02T22:03:48.1356234Z .... (6e62641865d79cd11cea291c21405d81fb03275d)
2024-02-02T22:03:48.1356335Z -> .... (3e071b83a90458e94e89a01903cda60650f86a6c)
2024-02-02T22:03:48.1356436Z Waiting for a runner to pick up this job...
2024-02-02T22:03:48.5338786Z Job is waiting for a hosted runner to come online.
2024-02-02T22:03:50.8524838Z Job is about to start running on the hosted runner: GitHub Actions 207 (hosted)
2024-02-02T22:03:54.0039541Z ##[debug]Starting: Build, publish and notify / Docker Scout
2024-02-02T22:03:54.0069923Z ##[debug]Cleaning runner temp folder: /home/runner/work/_temp
2024-02-02T22:03:54.0383199Z ##[debug]Starting: Set up job
2024-02-02T22:03:54.0383989Z Current runner version: '2.312.0'
2024-02-02T22:03:54.0411603Z ##[group]Operating System
2024-02-02T22:03:54.0412393Z Ubuntu
2024-02-02T22:03:54.0413252Z 22.04.3
2024-02-02T22:03:54.0413748Z LTS
2024-02-02T22:03:54.0414183Z ##[endgroup]
2024-02-02T22:03:54.0414786Z ##[group]Runner Image
2024-02-02T22:03:54.0415453Z Image: ubuntu-22.04
2024-02-02T22:03:54.0416046Z Version: 20240126.1.0
2024-02-02T22:03:54.0417552Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240126.1/images/ubuntu/Ubuntu2204-Readme.md
2024-02-02T22:03:54.0419608Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240126.1
2024-02-02T22:03:54.0420834Z ##[endgroup]
2024-02-02T22:03:54.0421496Z ##[group]Runner Image Provisioner
2024-02-02T22:03:54.0422394Z 2.0.341.1
2024-02-02T22:03:54.0422940Z ##[endgroup]
2024-02-02T22:03:54.0424717Z ##[group]GITHUB_TOKEN Permissions
2024-02-02T22:03:54.0427159Z Contents: read
2024-02-02T22:03:54.0427760Z Metadata: read
2024-02-02T22:03:54.0428376Z Packages: read
2024-02-02T22:03:54.0428936Z PullRequests: write
2024-02-02T22:03:54.0429547Z SecurityEvents: write
2024-02-02T22:03:54.0430219Z ##[endgroup]
2024-02-02T22:03:54.0434081Z Secret source: Actions
2024-02-02T22:03:54.0435024Z ##[debug]Primary repository: ....
2024-02-02T22:03:54.0436104Z Prepare workflow directory
2024-02-02T22:03:54.0517838Z ##[debug]Creating pipeline directory: '/home/runner/work/workflows-sandbox'
2024-02-02T22:03:54.0522435Z ##[debug]Creating workspace directory: '/home/runner/work/workflows-sandbox/workflows-sandbox'
2024-02-02T22:03:54.0524530Z ##[debug]Update context data
2024-02-02T22:03:54.0529519Z ##[debug]Evaluating job-level environment variables
2024-02-02T22:03:54.1112572Z ##[debug]Evaluating job container
2024-02-02T22:03:54.1117204Z ##[debug]Evaluating job service containers
2024-02-02T22:03:54.1120196Z ##[debug]Evaluating job defaults
2024-02-02T22:03:54.1205046Z Prepare all required actions
2024-02-02T22:03:54.1396165Z Getting action download info
2024-02-02T22:03:54.4152542Z Download action repository 'actions/download-artifact@v4' (SHA:6b208ae046db98c579e8a3aa621ab581ff575935)
2024-02-02T22:03:54.6074624Z ##[debug]Download 'https://api.github.com/repos/actions/download-artifact/tarball/....' to '/home/runner/work/_actions/_temp_0a04d7a6-c68b-4dab-a0d1-f8ff4d7901e1/6b1caa8a-ba46-497f-b8e3-6e910f9c4a29.tar.gz'
2024-02-02T22:03:54.7566291Z ##[debug]Unwrap 'actions-download-artifact-6b208ae' to '/home/runner/work/_actions/actions/download-artifact/v4'
2024-02-02T22:03:54.7816933Z ##[debug]Archive '/home/runner/work/_actions/_temp_0a04d7a6-c68b-4dab-a0d1-f8ff4d7901e1/6b1caa8a-ba46-497f-b8e3-6e910f9c4a29.tar.gz' has been unzipped into '/home/runner/work/_actions/actions/download-artifact/v4'.
2024-02-02T22:03:54.7969182Z Download action repository '....' (SHA:d8038367fe1ee83c2c7b2403f8ecbb3cb3ea54ab)
2024-02-02T22:04:12.3537742Z ##[debug]Download 'https://api.github.com/repos/....' to '/home/runner/work/_actions/_temp_0a0fb82e-c55f-4675-8e1d-942f49d9bb50/67644ab3-3c13-4773-9f13-baf5c71df6da.tar.gz'
2024-02-02T22:04:15.1612066Z ##[debug]Unwrap '....-d803836' to '/home/runner/work/_actions/....'
2024-02-02T22:04:16.0200464Z ##[debug]Archive '/home/runner/work/_actions/_temp_0a0fb82e-c55f-4675-8e1d-942f49d9bb50/67644ab3-3c13-4773-9f13-baf5c71df6da.tar.gz' has been unzipped into '/home/runner/work/_actions/....'.
2024-02-02T22:04:16.0611003Z Download action repository 'github/codeql-action@v3' (SHA:e8893c57a1f3a2b659b6b55564fdfdbbd2982911)
2024-02-02T22:04:16.3905336Z ##[debug]Download 'https://api.github.com/repos/github/codeql-action/tarball/e8893c57a1f3a2b659b6b55564fdfdbbd2982911' to '/home/runner/work/_actions/_temp_c285f8d6-2c35-4815-9960-4ebce6bbfc15/1b745a43-13d8-44e3-8a6e-8f6ca6cd8ef5.tar.gz'
2024-02-02T22:04:17.3612008Z ##[debug]Unwrap 'github-codeql-action-e8893c5' to '/home/runner/work/_actions/github/codeql-action/v3'
2024-02-02T22:04:19.7407731Z ##[debug]Archive '/home/runner/work/_actions/_temp_c285f8d6-2c35-4815-9960-4ebce6bbfc15/1b745a43-13d8-44e3-8a6e-8f6ca6cd8ef5.tar.gz' has been unzipped into '/home/runner/work/_actions/github/codeql-action/v3'.
2024-02-02T22:04:19.9547297Z ##[debug]action.yml for action: '/home/runner/work/_actions/actions/download-artifact/v4/action.yml'.
2024-02-02T22:04:20.0411876Z ##[debug]action.yml for action: '/home/runner/work/_actions/..../action.yml'.
2024-02-02T22:04:20.0571724Z ##[debug]action.yml for action: '/home/runner/work/_actions/github/codeql-action/v3/upload-sarif/action.yml'.
2024-02-02T22:04:20.0784136Z ##[debug]Set step '__actions_download-artifact' display name to: 'Download artifact'
2024-02-02T22:04:20.0786779Z ##[debug]Set step '__run' display name to: 'Load image'
2024-02-02T22:04:20.0788365Z ##[debug]Set step 'docker-scout' display name to: 'Docker Scout'
2024-02-02T22:04:20.0789915Z ##[debug]Set step 'upload-sarif' display name to: 'Upload SARIF result'
2024-02-02T22:04:20.0793111Z Uses: .... (3e071b83a90458e94e89a01903cda60650f86a6c)
2024-02-02T22:04:20.0795823Z ##[group] Inputs
2024-02-02T22:04:20.0796562Z   use-cosign: true
2024-02-02T22:04:20.0796946Z   working-directory: .
2024-02-02T22:04:20.0797345Z ##[endgroup]
2024-02-02T22:04:20.0798034Z Complete job name: Build, publish and notify / Docker Scout
2024-02-02T22:04:20.0816783Z ##[debug]Collect running processes for tracking orphan processes.
2024-02-02T22:04:20.1030501Z ##[debug]Finishing: Set up job
2024-02-02T22:04:20.1260826Z ##[debug]Evaluating condition for step: 'Download artifact'
2024-02-02T22:04:20.1323485Z ##[debug]Evaluating: (success() && (needs.build-and-publish.outputs.output_type == 'file'))
2024-02-02T22:04:20.1330442Z ##[debug]Evaluating And:
2024-02-02T22:04:20.1336017Z ##[debug]..Evaluating success:
2024-02-02T22:04:20.1361789Z ##[debug]..=> true
2024-02-02T22:04:20.1366884Z ##[debug]..Evaluating Equal:
2024-02-02T22:04:20.1368385Z ##[debug]....Evaluating Index:
2024-02-02T22:04:20.1370603Z ##[debug]......Evaluating Index:
2024-02-02T22:04:20.1371227Z ##[debug]........Evaluating Index:
2024-02-02T22:04:20.1371860Z ##[debug]..........Evaluating needs:
2024-02-02T22:04:20.1373446Z ##[debug]..........=> Object
2024-02-02T22:04:20.1388259Z ##[debug]..........Evaluating String:
2024-02-02T22:04:20.1389380Z ##[debug]..........=> 'build-and-publish'
2024-02-02T22:04:20.1393892Z ##[debug]........=> Object
2024-02-02T22:04:20.1394693Z ##[debug]........Evaluating String:
2024-02-02T22:04:20.1395416Z ##[debug]........=> 'outputs'
2024-02-02T22:04:20.1396045Z ##[debug]......=> Object
2024-02-02T22:04:20.1396614Z ##[debug]......Evaluating String:
2024-02-02T22:04:20.1397238Z ##[debug]......=> 'output_type'
2024-02-02T22:04:20.1398111Z ##[debug]....=> 'registry'
2024-02-02T22:04:20.1398689Z ##[debug]....Evaluating String:
2024-02-02T22:04:20.1399267Z ##[debug]....=> 'file'
2024-02-02T22:04:20.1403161Z ##[debug]..=> false
2024-02-02T22:04:20.1403860Z ##[debug]=> false
2024-02-02T22:04:20.1411996Z ##[debug]Expanded: (true && ('registry' == 'file'))
2024-02-02T22:04:20.1412989Z ##[debug]Result: false
2024-02-02T22:04:20.1448665Z ##[debug]Evaluating condition for step: 'Load image'
2024-02-02T22:04:20.1452005Z ##[debug]Evaluating: (success() && (needs.build-and-publish.outputs.output_type == 'file'))
2024-02-02T22:04:20.1453249Z ##[debug]Evaluating And:
2024-02-02T22:04:20.1453824Z ##[debug]..Evaluating success:
2024-02-02T22:04:20.1454511Z ##[debug]..=> true
2024-02-02T22:04:20.1455025Z ##[debug]..Evaluating Equal:
2024-02-02T22:04:20.1455600Z ##[debug]....Evaluating Index:
2024-02-02T22:04:20.1456195Z ##[debug]......Evaluating Index:
2024-02-02T22:04:20.1456998Z ##[debug]........Evaluating Index:
2024-02-02T22:04:20.1457604Z ##[debug]..........Evaluating needs:
2024-02-02T22:04:20.1458218Z ##[debug]..........=> Object
2024-02-02T22:04:20.1458795Z ##[debug]..........Evaluating String:
2024-02-02T22:04:20.1459459Z ##[debug]..........=> 'build-and-publish'
2024-02-02T22:04:20.1460108Z ##[debug]........=> Object
2024-02-02T22:04:20.1460657Z ##[debug]........Evaluating String:
2024-02-02T22:04:20.1461320Z ##[debug]........=> 'outputs'
2024-02-02T22:04:20.1461892Z ##[debug]......=> Object
2024-02-02T22:04:20.1462436Z ##[debug]......Evaluating String:
2024-02-02T22:04:20.1463037Z ##[debug]......=> 'output_type'
2024-02-02T22:04:20.1463666Z ##[debug]....=> 'registry'
2024-02-02T22:04:20.1464216Z ##[debug]....Evaluating String:
2024-02-02T22:04:20.1464782Z ##[debug]....=> 'file'
2024-02-02T22:04:20.1465276Z ##[debug]..=> false
2024-02-02T22:04:20.1465736Z ##[debug]=> false
2024-02-02T22:04:20.1466534Z ##[debug]Expanded: (true && ('registry' == 'file'))
2024-02-02T22:04:20.1467285Z ##[debug]Result: false
2024-02-02T22:04:20.1474849Z ##[debug]Evaluating condition for step: 'Docker Scout'
2024-02-02T22:04:20.1476315Z ##[debug]Evaluating: success()
2024-02-02T22:04:20.1476911Z ##[debug]Evaluating success:
2024-02-02T22:04:20.1477507Z ##[debug]=> true
2024-02-02T22:04:20.1478054Z ##[debug]Result: true
2024-02-02T22:04:20.1491354Z ##[debug]Starting: Docker Scout

....

2024-02-02T22:04:39.0484383Z ##[debug]Finishing: Docker Scout
2024-02-02T22:04:39.0501466Z ##[debug]Evaluating condition for step: 'Upload SARIF result'
2024-02-02T22:04:39.0506419Z ##[debug]Evaluating: (success() && (hashFiles('sarif.output.json') != '') && (github.event_name != 'pull_request_target'))
2024-02-02T22:04:39.0506790Z ##[debug]Evaluating And:
2024-02-02T22:04:39.0507083Z ##[debug]..Evaluating success:
2024-02-02T22:04:39.0507453Z ##[debug]..=> true
2024-02-02T22:04:39.0514246Z ##[debug]..Evaluating NotEqual:
2024-02-02T22:04:39.0515725Z ##[debug]....Evaluating hashFiles:
2024-02-02T22:04:39.0549232Z ##[debug]......Evaluating String:
2024-02-02T22:04:39.0549610Z ##[debug]......=> 'sarif.output.json'
2024-02-02T22:04:39.0551000Z ##[debug]Search root directory: '/home/runner/work/workflows-sandbox/workflows-sandbox'
2024-02-02T22:04:39.0551731Z ##[debug]Search pattern: 'sarif.output.json'
2024-02-02T22:04:39.0554066Z ##[debug]Starting process:
2024-02-02T22:04:39.0554913Z ##[debug]  File name: '/home/runner/runners/2.312.0/externals/node16/bin/node'
2024-02-02T22:04:39.0555606Z ##[debug]  Arguments: '"/home/runner/runners/2.312.0/bin/hashFiles"'
2024-02-02T22:04:39.0556516Z ##[debug]  Working directory: '/home/runner/work/workflows-sandbox/workflows-sandbox'
2024-02-02T22:04:39.0556953Z ##[debug]  Require exit code zero: 'False'
2024-02-02T22:04:39.0557401Z ##[debug]  Encoding web name:  ; code page: ''
2024-02-02T22:04:39.0557921Z ##[debug]  Force kill process on cancellation: 'False'
2024-02-02T22:04:39.0558279Z ##[debug]  Redirected STDIN: 'False'
2024-02-02T22:04:39.0558710Z ##[debug]  Persist current code page: 'False'
2024-02-02T22:04:39.0559143Z ##[debug]  Keep redirected STDIN open: 'False'
2024-02-02T22:04:39.0559552Z ##[debug]  High priority process: 'False'
2024-02-02T22:04:39.0579861Z ##[debug]Updated oom_score_adj to 500 for PID: 1608.
2024-02-02T22:04:39.0580888Z ##[debug]Process started with process id 1608, waiting for process exit.
2024-02-02T22:04:39.2280067Z ##[debug]Match Pattern: sarif.output.json
2024-02-02T22:04:39.2310596Z ##[debug]::debug::followSymbolicLinks 'false'
2024-02-02T22:04:39.2341403Z ##[debug]::debug::followSymbolicLinks 'false'
2024-02-02T22:04:39.2342294Z ##[debug]::debug::implicitDescendants 'true'
2024-02-02T22:04:39.2343098Z ##[debug]::debug::matchDirectories 'true'
2024-02-02T22:04:39.2343941Z ##[debug]::debug::omitBrokenSymbolicLinks 'true'
2024-02-02T22:04:39.2349067Z ##[debug]::debug::Search path '/home/runner/work/workflows-sandbox/workflows-sandbox/sarif.output.json'
2024-02-02T22:04:39.2370841Z ##[debug]/home/runner/work/workflows-sandbox/workflows-sandbox/sarif.output.json
2024-02-02T22:04:39.2428600Z ##[debug]Found 1 files to hash.
2024-02-02T22:04:39.2433131Z ##[debug]Hash result: 'f3050e4422098264040ff4733df775a08092d3580ab3b144bc251cd4c5284ce2'
2024-02-02T22:04:39.2435440Z ##[debug]undefined
2024-02-02T22:04:39.2470000Z ##[debug]STDOUT/STDERR stream read finished.
2024-02-02T22:04:39.2470988Z ##[debug]STDOUT/STDERR stream read finished.
2024-02-02T22:04:39.2473443Z ##[debug]Finished process 1608 with exit code 0, and elapsed time 00:00:00.1912209.
2024-02-02T22:04:39.2475429Z ##[debug]....=> 'f3050e4422098264040ff4733df775a08092d3580ab3b144bc251cd4c5284ce2'
2024-02-02T22:04:39.2476512Z ##[debug]....Evaluating String:
2024-02-02T22:04:39.2477087Z ##[debug]....=> ''
2024-02-02T22:04:39.2478472Z ##[debug]..=> true
2024-02-02T22:04:39.2479314Z ##[debug]..Evaluating NotEqual:
2024-02-02T22:04:39.2479944Z ##[debug]....Evaluating Index:
2024-02-02T22:04:39.2480527Z ##[debug]......Evaluating github:
2024-02-02T22:04:39.2481285Z ##[debug]......=> Object
2024-02-02T22:04:39.2481867Z ##[debug]......Evaluating String:
2024-02-02T22:04:39.2482794Z ##[debug]......=> 'event_name'
2024-02-02T22:04:39.2483410Z ##[debug]....=> 'push'
2024-02-02T22:04:39.2483978Z ##[debug]....Evaluating String:
2024-02-02T22:04:39.2484588Z ##[debug]....=> 'pull_request_target'
2024-02-02T22:04:39.2485170Z ##[debug]..=> true
2024-02-02T22:04:39.2485639Z ##[debug]=> true
2024-02-02T22:04:39.2489500Z ##[debug]Expanded: (true && ('f3050e4422098264040ff4733df775a08092d3580ab3b144bc251cd4c5284ce2' != '') && ('push' != 'pull_request_target'))
2024-02-02T22:04:39.2490792Z ##[debug]Result: true
2024-02-02T22:04:39.2491819Z ##[debug]Starting: Upload SARIF result
2024-02-02T22:04:39.2525858Z ##[debug]Loading inputs
2024-02-02T22:04:39.2527553Z ##[debug]Evaluating: github.workspace
2024-02-02T22:04:39.2528277Z ##[debug]Evaluating Index:
2024-02-02T22:04:39.2528724Z ##[debug]..Evaluating github:
2024-02-02T22:04:39.2529182Z ##[debug]..=> Object
2024-02-02T22:04:39.2529585Z ##[debug]..Evaluating String:
2024-02-02T22:04:39.2530025Z ##[debug]..=> 'workspace'
2024-02-02T22:04:39.2530674Z ##[debug]=> '/home/runner/work/workflows-sandbox/workflows-sandbox'
2024-02-02T22:04:39.2531597Z ##[debug]Result: '/home/runner/work/workflows-sandbox/workflows-sandbox'
2024-02-02T22:04:39.2534848Z ##[debug]Evaluating: github.token
2024-02-02T22:04:39.2535351Z ##[debug]Evaluating Index:
2024-02-02T22:04:39.2535807Z ##[debug]..Evaluating github:
2024-02-02T22:04:39.2536260Z ##[debug]..=> Object
2024-02-02T22:04:39.2536660Z ##[debug]..Evaluating String:
2024-02-02T22:04:39.2537092Z ##[debug]..=> 'token'
2024-02-02T22:04:39.2537993Z ##[debug]=> '***'
2024-02-02T22:04:39.2538585Z ##[debug]Result: '***'
2024-02-02T22:04:39.2540388Z ##[debug]Evaluating: toJson(matrix)
2024-02-02T22:04:39.2540886Z ##[debug]Evaluating toJson:
2024-02-02T22:04:39.2567636Z ##[debug]..Evaluating matrix:
2024-02-02T22:04:39.2568145Z ##[debug]..=> null
2024-02-02T22:04:39.2571905Z ##[debug]=> 'null'
2024-02-02T22:04:39.2572315Z ##[debug]Result: 'null'
2024-02-02T22:04:39.2575884Z ##[debug]Loading env
2024-02-02T22:04:39.2583153Z ##[group]Run github/codeql-action/upload-sarif@v3
2024-02-02T22:04:39.2583705Z with:
2024-02-02T22:04:39.2584036Z   sarif_file: sarif.output.json
2024-02-02T22:04:39.2584724Z   checkout_path: /home/runner/work/workflows-sandbox/workflows-sandbox
2024-02-02T22:04:39.2585637Z   token: ***
2024-02-02T22:04:39.2585953Z   matrix: null
2024-02-02T22:04:39.2586319Z   wait-for-processing: true
2024-02-02T22:04:39.2586744Z ##[endgroup]
2024-02-02T22:04:39.6661709Z ##[error]codeql/upload-sarif action failed: Resource not accessible by integration
2024-02-02T22:04:39.6808911Z ##[debug]Node Action run completed with exit code 1
2024-02-02T22:04:39.6824437Z ##[debug]CODEQL_ACTION_FEATURE_MULTI_LANGUAGE='false'
2024-02-02T22:04:39.6825285Z ##[debug]CODEQL_ACTION_FEATURE_SANDWICH='false'
2024-02-02T22:04:39.6825939Z ##[debug]CODEQL_ACTION_FEATURE_SARIF_COMBINE='true'
2024-02-02T22:04:39.6826630Z ##[debug]CODEQL_ACTION_FEATURE_WILL_UPLOAD='true'
2024-02-02T22:04:39.6827233Z ##[debug]CODEQL_ACTION_VERSION='3.24.0'
2024-02-02T22:04:39.6834655Z ##[debug]Finishing: Upload SARIF result
2024-02-02T22:04:39.7010947Z ##[debug]Starting: Complete job
2024-02-02T22:04:39.7013277Z Uploading runner diagnostic logs
2024-02-02T22:04:39.7068845Z ##[debug]Starting diagnostic file upload.
2024-02-02T22:04:39.7069455Z ##[debug]Setting up diagnostic log folders.
2024-02-02T22:04:39.7072335Z ##[debug]Creating diagnostic log files folder.
2024-02-02T22:04:39.7093443Z ##[debug]Copying 1 worker diagnostic logs.
2024-02-02T22:04:39.7112188Z ##[debug]Copying 1 runner diagnostic logs.
2024-02-02T22:04:39.7113578Z ##[debug]Zipping diagnostic files.
2024-02-02T22:04:39.7169938Z ##[debug]Uploading diagnostic metadata file.
2024-02-02T22:04:39.7190147Z ##[debug]Diagnostic file upload complete.
2024-02-02T22:04:39.7191009Z Completed runner diagnostic log upload
2024-02-02T22:04:39.7191545Z Cleaning up orphan processes
2024-02-02T22:04:39.7603521Z ##[debug]Finishing: Complete job
2024-02-02T22:04:39.7743940Z ##[debug]Finishing: Build, publish and notify / Docker Scout

[aeisenberg]

Thanks for posting. We're taking a look at this. Can you let us know the org/name of the repository where this is happening so we can look for this in our telemetry?

[SPodjasek]

@aeisenberg You can see at inway/workflows-sandbox which I've just run manually.
Logged error timestamp is: Mon, 05 Feb 2024 21:26:01 GMT

[aeisenberg]

It looks like your workflow is failing at the point it is trying to send telemetry back to github.com, which is why we are not able to find any error reports in our logs about this.

On Friday, we merged #2112 (and has already been released), which may fix an instance of this problem, but I'm not sure if this is exactly what you are seeing. Would you try again to see if this addresses your problem?

If not, there is another PR that is more likely to address your issue: #2110. We are in the process of reviewing it. Once this PR is merged to main, I would recommend that you try this fix out as well. (Just change the github/codeql-action/upload-sarif@v3 to ...@main.)

[SPodjasek]

@aeisenberg I've just tried with @main to see whether #2112 helps - but it does not.

I'll wait and try when #2110 gets merged.

[SPodjasek]

It looks like your workflow is failing at the point it is trying to send telemetry back to github.com, which is why we are not able to find any error reports in our logs about this.

This is a private repository (which I haven't mentioned) - so maybe that is the reason telemetry is not there?

[aeisenberg]

@aeisenberg I've just tried with @main to see whether #2112 helps - but it does not.

Thanks for trying.

This is a private repository (which I haven't mentioned) - so maybe that is the reason telemetry is not there?

We collect metadata (repository name, runtime, run status, etc) and error messages about all code scanning runs even in private repositories. This is to help us measure our internal SLOs and quickly see if there is a problem or any worrying trend. The data is purged after 6 months.

[SPodjasek]

@aeisenberg just checked after merging of #2110 with @main pointing to 932a7d5 and result is the same

Error: codeql/upload-sarif action failed: Resource not accessible by integration

[ffried]

@SPodjasek The remaining changes in #2110 were just documentation. The functional change seems to be #2121 now.

[SPodjasek]

Ok, I'll monitor #2121 now...

[jsoref]

Oh. I bet I know what the problem is

check-spelling has code for it:

Check Spelling: .github/workflows/spelling.yml#L106
Unsupported configuration: use_sarif needs GitHub Advanced Security to be enabled - see https://docs.github.com/get-started/learning-about-github/about-github-advanced-security. (unsupported-configuration)

---

Odds are that your repository is not a GHES or similar or that if you're a GHES or similar you aren't also paying for GitHub Advanced Security.

---

check-spelling has to bend over backwards to handle this stuff (which is part of why I'm working on these repositories to make my experience slightly less tortured).

retroactive edit: My bet was wrong, although in a way it was along the right track -- as it turns out it was a permissions issue, just not security-events, but actions: read. -- There's code in check-spelling for this too... https://github.com/check-spelling/check-spelling/blob/26b46adbdebd5dd0b34c7155113d50c40f43fb22/unknown-words.sh#L878-L884