SARIF uploads are failing due to change in SARIF upload action on July 22nd #7
Description
Change notification: https://github.blog/changelog/2025-07-21-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file/
Caused a failure in our CI run that uses this github action: https://github.com/xapi-project/xen-api/actions/runs/16497129234/job/46647606756?pr=6604
Uploading code scanning results
Processing sarif files: ["/home/runner/work/xen-api/xen-api/codechecker.sarif/direct_copy_stubs.c_cppcheck_6b3f0ebdac13ea86db691b4fe8b5f07f.sarif","/home/runner/work/xen-api/xen-api/codechecker.sarif/domain_state.h_cppcheck_1b4a16a335f4c936103d8a67e42d0123.sarif","/home/runner/work/xen-api/xen-api/codechecker.sarif/fe_stubs.c_cppcheck_a368057bdce6779f133bea47360fd020.sarif","/home/runner/work/xen-api/xen-api/codechecker.sarif/unixpwd.c_cppcheck_02f4747fd49e168a03ffbad6e67a580c.sarif","/home/runner/work/xen-api/xen-api/codechecker.sarif/xenctrlext_stubs.c_cppcheck_96c30de13da31cf14aba33627a838638.sarif","/home/runner/work/xen-api/xen-api/codechecker.sarif/xxhash_stubs.c_cppcheck_7d977ae1e4d339938992d381fa3f4ce2.sarif"]
Validating /home/runner/work/xen-api/xen-api/codechecker.sarif/direct_copy_stubs.c_cppcheck_6b3f0ebdac13ea86db691b4fe8b5f07f.sarif
Validating /home/runner/work/xen-api/xen-api/codechecker.sarif/domain_state.h_cppcheck_1b4a16a335f4c936103d8a67e42d0123.sarif
Validating /home/runner/work/xen-api/xen-api/codechecker.sarif/fe_stubs.c_cppcheck_a368057bdce6779f133bea47360fd020.sarif
Validating /home/runner/work/xen-api/xen-api/codechecker.sarif/unixpwd.c_cppcheck_02f4747fd49e168a03ffbad6e67a580c.sarif
Validating /home/runner/work/xen-api/xen-api/codechecker.sarif/xenctrlext_stubs.c_cppcheck_96c30de13da31cf14aba33627a838638.sarif
Validating /home/runner/work/xen-api/xen-api/codechecker.sarif/xxhash_stubs.c_cppcheck_7d977ae1e4d339938992d381fa3f4ce2.sarif
Combining SARIF files using the CodeQL CLI
Error: The CodeQL Action does not support uploading multiple SARIF runs with the same category. Please update your workflow to upload a single run per category. For more information, see https://github.blog/changelog/2025-07-21-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file/
We run codechecker like this:
- uses: whisperity/codechecker-analysis-action@v1
id: codechecker
with:
ctu: true
logfile: ${{ github.workspace }}/compile_commands.json
analyze-output: "codechecker_results"
- name: Upload CodeChecker report
uses: actions/upload-artifact@v4
with:
name: codechecker_results
path: "${{ steps.codechecker.outputs.result-html-dir }}"
We create the SARIF file like this in our CI:
# cppcheck even for other analyzers apparently, this is
# codechecker's output
- name: convert to SARIF
shell: bash
run: report-converter "codechecker_results" --type cppcheck --output codechecker.sarif --export sarif
We've disabled the SARIF uploads in our CI for now (xapi-project/xen-api#6605), it still creates and uploads the artifact, but not the SARIF action.
Would be nice if this action could be updated to work with the latest requirements from Github's SARIF action.