Feb 9, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md

 ## [UNRELEASED]

 No user facing changes.
 - Users will no longer need to include `actions: read` permissions to use `upload-sarif` in private repositories.

 ## 3.25.6 - 20 May 2024

diff --git a/lib/api-client.js b/lib/api-client.js
diff --git a/lib/api-client.js.map b/lib/api-client.js.map
diff --git a/queries/default-setup-environment-variables.ql b/queries/default-setup-environment-variables.ql
      "GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL",
      "GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
      "GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
      "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH",
      "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
      "GITHUB_WORKFLOW_REF", "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS",
      "RUNNER_ARCH", "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP",
      "RUNNER_TOOL_CACHE"
    ]
 }

diff --git a/src/api-client.ts b/src/api-client.ts
 * Get the path of the currently executing workflow relative to the repository root.
 */
 export async function getWorkflowRelativePath(): Promise<string> {
  const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
  const owner = repo_nwo[0];
  const repo = repo_nwo[1];
  const run_id = Number(getRequiredEnvParam("GITHUB_RUN_ID"));

  const apiClient = getApiClient();
  const runsResponse = await apiClient.request(
    "GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true",
    {
      owner,
      repo,
      run_id,
    },
  );
  const workflowUrl = runsResponse.data.workflow_url;

  const workflowResponse = await apiClient.request(`GET ${workflowUrl}`);

  return workflowResponse.data.path;
  const workflow_ref = process.env["GITHUB_WORKFLOW_REF"];
  const workflowRegExp = new RegExp("^[^/]+/[^/]+/(.*?)@.*");
  const match = workflow_ref?.match(workflowRegExp);
  return new Promise((resolve) => {
    resolve(match ? match[1] : '');
  });
 }

 /**
Original file line number	Diff line number	Diff line change
Expand Up		@@ -6,7 +6,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the

		## [UNRELEASED]

		No user facing changes.
		- Users will no longer need to include `actions: read` permissions to use `upload-sarif` in private repositories.

		## 3.25.6 - 20 May 2024

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -22,8 +22,9 @@ predicate isSafeForDefaultSetup(string envVar) {
		"GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL",
		"GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
		"GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
		"GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH",
		"RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
		"GITHUB_WORKFLOW_REF", "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS",
		"RUNNER_ARCH", "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP",
		"RUNNER_TOOL_CACHE"
		]
		}

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -121,25 +121,12 @@ export async function getGitHubVersion(): Promise<GitHubVersion> {
		* Get the path of the currently executing workflow relative to the repository root.
		*/
		export async function getWorkflowRelativePath(): Promise<string> {
		const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
		const owner = repo_nwo[0];
		const repo = repo_nwo[1];
		const run_id = Number(getRequiredEnvParam("GITHUB_RUN_ID"));

		const apiClient = getApiClient();
		const runsResponse = await apiClient.request(
		"GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true",
		{
		owner,
		repo,
		run_id,
		},
		);
		const workflowUrl = runsResponse.data.workflow_url;

		const workflowResponse = await apiClient.request(`GET ${workflowUrl}`);

		return workflowResponse.data.path;
		const workflow_ref = process.env["GITHUB_WORKFLOW_REF"];
github-advanced-security[bot] marked this conversation as resolved. FixedShow fixedHide fixed Check warning Code scanning / CodeQL Some environment variables may not exist in default setup workflows The environment variable GITHUB_WORKFLOW_REF may not exist in default setup workflows. If all uses are safe, add it to the list of environment variables that are known to be safe in 'queries/default-setup-environment-variables.ql'. If this use is safe but others are not, dismiss this alert as a false positive.
		const workflowRegExp = new RegExp("^[^/]+/[^/]+/(.?)@.");
		const match = workflow_ref?.match(workflowRegExp);
		return new Promise((resolve) => {
		resolve(match ? match[1] : '');
		});
		}

		/**
Expand Down