Only delete SARIF in PR check if not running on a fork

The `Submit SARIF after failure` PR Check was failing when opened on a fork because of a permissions problem when deleting the uploaded SARIF. This change should fix this by only deleting the SARIF when the owner of the current repository is `github`.
github · Jan 12, 2024 · 7a76543 · 7a76543
1 parent 9653106
commit 7a76543
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/lib/init-action-post-helper.js b/lib/init-action-post-helper.js
diff --git a/lib/init-action-post-helper.js.map b/lib/init-action-post-helper.js.map
diff --git a/src/init-action-post-helper.ts b/src/init-action-post-helper.ts
@@ -1,3 +1,5 @@
+import * as core from "@actions/core";
+
 import * as actionsUtil from "./actions-util";
 import { getApiClient } from "./api-client";
 import { getCodeQL } from "./codeql";
@@ -182,7 +184,13 @@ export async function run(
     );
   }
 
-  if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true") {
+  core.info(`GITHUB_ACTOR is ${process.env["GITHUB_ACTOR"]}`);
+  // We do not delete uploaded SARIFs if we're on a fork, as we're missing the
+  // appropriate permissions.
+  if (
+    process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
+    repositoryNwo.owner !== "github"
+  ) {
     await removeUploadedSarif(uploadFailedSarifResult, logger);
   }