Configure CodeQL to output SARIF artifacts without uploading to Code Scanning

[Copilot]

Modified the CodeQL workflow to run security analysis and save results as downloadable artifacts instead of uploading to GitHub Code Scanning.

Changes

• Permissions: Removed security-events: write (not needed without code scanning upload)
• Analysis step: Added upload: "false" to disable automatic upload to Code Scanning
• Artifact upload: Replaced codeql-action/upload-sarif with actions/upload-artifact@v4 to save SARIF files as workflow artifacts

- name: Perform CodeQL Analysis (no code scanning upload)
  uses: github/codeql-action/analyze@v3
  with:
    category: "/language:${{ matrix.language }}"
    upload: "false"

- name: Upload SARIF artifact
  uses: actions/upload-artifact@v4
  with:
    name: codeql-sarif
    path: results/**/*.sarif

This allows manual review of security findings without populating the repository's Security tab.

Original prompt

name: CodeQL Security Analysis

on:
push:
branches:
- main
- develop
pull_request:
branches:
- main
- develop
schedule:
- cron: '0 0 * * 1'
workflow_dispatch:

jobs:
analyze:
name: Analyze Python Code
runs-on: ubuntu-latest

permissions:
  actions: read
  contents: read
  # security-events: write  # not needed if we don't upload to code scanning

strategy:
  fail-fast: false
  matrix:
    language: ['python']

steps:
  - name: Checkout repository
    uses: actions/checkout@v4

  - name: Set up Python
    uses: actions/setup-python@v4
    with:
      python-version: '3.11'

  - name: Initialize CodeQL
    uses: github/codeql-action/init@v3
    with:
      languages: ${{ matrix.language }}
      queries: security-and-quality

  - name: Install dependencies
    run: |
      python -m pip install --upgrade pip
      pip install -r requirements.txt || echo "No requirements.txt yet"
    continue-on-error: true

  - name: Perform CodeQL Analysis (no code scanning upload)
    uses: github/codeql-action/analyze@v3
    with:
      category: "/language:${{ matrix.language }}"
      upload: "false"          # <— key change: do not upload to code scanning

  # Optional: archive SARIF as a plain artifact
  - name: Upload SARIF artifact
    uses: actions/upload-artifact@v4
    with:
      name: codeql-sarif
      path: results/**/*.sarif

Custom agent used: Legendary LID-LIFT Orchestrator v1.4
Full System orchestration for Instinct.OS / CVE Matter-Analysis OS.
Produces human report + H-MOC run_report, using LID-LIFT, BBS tensor macrosegments,
positional alignment, and reverse-adversarial refractors.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "Codex (@codex) review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".

[chatgpt-codex-connector]

Uploads wrong SARIF path

The new artifact upload step now points to results/**/*.sarif, but the CodeQL analyze action writes its SARIF bundle into ../results (see the previous workflow version where sarif_file: ../results was required for upload-sarif). Because the directory name and depth no longer match, the actions/upload-artifact@v4 step never finds any files to upload, so the workflow produces no downloadable SARIF despite the stated goal of the change. The path should continue to target ../results (or whatever directory analyze is configured to emit) before this workflow can deliver the promised artifacts.

Useful? React with 👍 / 👎.

[Copilot]

Pull Request Overview

This PR modifies the CodeQL workflow to output SARIF security analysis results as downloadable workflow artifacts instead of uploading them to GitHub Code Scanning. This allows manual review of security findings without populating the repository's Security tab.

Key Changes

• Removed security-events: write permission since Code Scanning upload is disabled
• Added upload: "false" parameter to the CodeQL analyze action to prevent automatic upload
• Replaced github/codeql-action/upload-sarif@v3 with actions/upload-artifact@v4 to save SARIF files as workflow artifacts

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The SARIF file path pattern is likely incorrect. When using upload: "false" in the CodeQL analyze action, the SARIF files are typically generated in ../results/ (relative to the GitHub workspace), not results/ within the workspace.

The correct path should be:

path: ../results/*.sarif

Additionally, you may want to specify an output parameter in the analyze step to explicitly control where SARIF files are saved:

- name: Perform CodeQL Analysis (no code scanning upload)
  uses: github/codeql-action/analyze@v3
  with:
    category: "/language:${{ matrix.language }}"
    upload: "false"
    output: ../results

[Copilot]

The artifact name should include the language from the matrix to avoid conflicts when multiple languages are analyzed. Since this workflow uses a matrix strategy for languages, uploading artifacts with the same name will cause them to overwrite each other.

Consider using:

name: codeql-sarif-${{ matrix.language }}

Suggested change

	name: codeql-sarif
	name: codeql-sarif-${{ matrix.language }}