I am attempting to integrate a static analyzer that produces known good SARIF output into my project’s pull request workflow. I have this set up on both the master branch as well as on everything else - same process, run analysis, generate, call CodeQL action to upload it.
When I set up a branch protection policy to require everything to succeed, I expected the workflow to nicely fail because there were newly found issues. Unfortunately it keeps reporting that things were found, but apparently it can’t find the analysis for the base branch.
Here is the display in the pull request. I was hoping this is where I would see the failure and the new issues!
When I click to see further, it explains the situation. But I certainly ran the same thing on the commit named (pretty sure!):
The SARIF output is fine, I can click the link to view it anyway and it shows up.
I can’t tell what the problem might be. Searches for these error messages look like this has come up pretty infrequently, and I can’t find a lot of detail on how the Code Scanning Alerts work - which might explain how I’ve gotten my project into this situation.
Help appreciated! Thanks!