Delete analysis after uploading

The analysis is purposefully failing. We don't want a failed analysis
sitting in the security center since this can cause some internal
checks to erroneously fail.

Author: aeisenberg

.github/actions/delete-uploaded-sarif/action.yml

@@ -0,0 +1,11 @@
+name: Delete uploaded SARIF
+description: Deletes an already uploaded SARIF analysis that was uploaded by the CodeQL Action in a previous step
+inputs:
+  token:
+    description: The GitHub token to use. It must have enough privileges to checkout the repository as well as the submodule.
+    required: true
+
+runs:
+  using: node16
+  main: index.js
+  post: post.js

.github/actions/delete-uploaded-sarif/index.js

@@ -0,0 +1 @@
+console.log("No action required.");

.github/actions/delete-uploaded-sarif/post.js

@@ -0,0 +1,32 @@
+const core = require('@actions/core')
+
+const sarifId = process.env.CODEQL_ACTION_TESTING_ENVIRONMENT;
+
+if (!sarifId) {
+  core.setFailed('CODEQL_ACTION_TESTING_ENVIRONMENT not set');
+  process.exit(1);
+}
+
+function initializeOctokit(token) {
+  if (!token) {
+    throw new Error('Missing GitHub Token.');
+  }
+  return github.getOctokit(token, {userAgent: "CodeQL-CI (github/semmle-code; submodule-check)"});
+}
+
+const token = core.getInput('token', { required: true });
+core.setSecret(token);
+const octokit = initializeOctokit(token);
+
+new Promise(async (resolve) => {
+  await octokit.request("DELETE /repos/{owner}/{repo}/code-scanning/analyses/{sarifId}?confirm_delete", {
+    owner: "github",
+    repo: "codeql-action",
+    sarifId
+  });
+  console.log(`Deleted uploaded SARIF analysis with ID ${sarifId}.`);
+  resolve();
+}).catch((error) => {
+  core.setFailed(error.message);
+  process.exit(1);
+});

.github/workflows/__submit-sarif-failure.yml

@@ -38,4 +38,5 @@ jobs:
     - name: Analyze
       uses: ./../action/analyze
       with:
+        upload: false
         upload-database: false

.github/workflows/python312-windows.yml

@@ -16,6 +16,11 @@ env:
 
 steps:
   - uses: actions/checkout@v4
+  # This step ensures that the invalid uploaded SARIF file is deleted at the end of the
+  # workflow run. This avoids any erroneous alerts with our internal reporting.
+  - uses: ./delete-uploaded-sarif
+    with:
+      token: ${{ secrets.GITHUB_TOKEN }}
   - uses: ./init
     with:
       languages: javascript
@@ -27,8 +32,19 @@ steps:
     continue-on-error: true
     run: exit 1
   - uses: ./analyze
+    id: analyze
     # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
     # above, we manually disable it with an `if` condition.
     if: false
     with:
       category: "/test-codeql-version:${{ matrix.version }}"
+
+  - name: Delete uploaded analysis
+    env:
+      UPLOADED_SARIF_ID: ${{ steps.analyze.outputs.sarif-id }}
+    shell: bash
+    run: |
+      echo "Deleting SARIF analysis with ID ${UPLOADED_SARIF_ID}"
+      gh api \
+        --method DELETE \
+        /repos/github/codeql-action/code-scanning/analyses//${UPLOADED_SARIF_ID}?confirm_delete

pr-checks/checks/submit-sarif-failure.yml

@@ -68,4 +68,9 @@ export enum EnvVar {
    * We check this later to ensure that it hasn't been tampered with by a late e.g. `setup-go` step.
    */
   GO_BINARY_LOCATION = "CODEQL_ACTION_GO_BINARY",
+
+  /**
+   * The internal SARIF ID of the uploaded SARIF file for the most recent uploaded SARIF file.
+   */
+  UPLOADED_SARIF_ID = "CODEQL_ACTION_UPLOADED_SARIF_ID",
 }

src/environment.ts

@@ -407,6 +407,8 @@ async function uploadFiles(
   // Make the upload
   const sarifID = await uploadPayload(payload, repositoryNwo, logger);
 
+  // Make the sarif ID available to later steps
+  core.exportVariable(EnvVar.UPLOADED_SARIF_ID, sarifID);
   logger.endGroup();
 
   return {