From 2a54ab50161a0e386fc920d02984dcd42f0df06f Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Thu, 16 Oct 2025 14:18:51 +0100
Subject: [PATCH 1/3] Fix `init-action-post-helper` tests using broken
 `Config`s

---
 src/init-action-post-helper.test.ts | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/init-action-post-helper.test.ts b/src/init-action-post-helper.test.ts
index 1c1cbcb684..bd911a8a97 100644
--- a/src/init-action-post-helper.test.ts
+++ b/src/init-action-post-helper.test.ts
@@ -28,12 +28,13 @@ test("post: init action with debug mode off", async (t) => {
     const gitHubVersion: util.GitHubVersion = {
       type: util.GitHubVariant.DOTCOM,
     };
-    sinon.stub(configUtils, "getConfig").resolves({
-      debugMode: false,
-      gitHubVersion,
-      languages: [],
-      packs: [],
-    } as unknown as configUtils.Config);
+    sinon.stub(configUtils, "getConfig").resolves(
+      createTestConfig({
+        debugMode: false,
+        gitHubVersion,
+        languages: [],
+      }),
+    );
 
     const uploadAllAvailableDebugArtifactsSpy = sinon.spy();
     const printDebugLogsSpy = sinon.spy();
@@ -335,12 +336,11 @@ async function testFailedSarifUpload(
     matrix?: { [key: string]: string };
   } = {},
 ): Promise<initActionPostHelper.UploadFailedSarifResult> {
-  const config = {
+  const config = createTestConfig({
     codeQLCmd: "codeql",
     debugMode: true,
     languages: [],
-    packs: [],
-  } as unknown as configUtils.Config;
+  });
   if (databaseExists) {
     config.dbLocation = "path/to/database";
   }

From c77b3fb96eca63bcd857805326e1ee12b342aeea Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Thu, 16 Oct 2025 14:26:03 +0100
Subject: [PATCH 2/3] Skip failed SARIF upload if `analysis-kinds:
 code-quality`

---
 lib/init-action-post.js             |  8 ++++++++
 src/init-action-post-helper.test.ts | 15 +++++++++++++++
 src/init-action-post-helper.ts      | 12 +++++++++++-
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 42985a5d80..c1fb450bef 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -129786,6 +129786,9 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
   }
   return augmentedConfig;
 }
+function isCodeQualityEnabled(config) {
+  return config.analysisKinds.includes("code-quality" /* CodeQuality */);
+}
 
 // src/setup-codeql.ts
 var fs12 = __toESM(require("fs"));
@@ -133750,6 +133753,11 @@ async function tryUploadSarifIfRunFailed(config, repositoryNwo, features, logger
       "CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */,
       process.env["CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */] ?? "JOB_STATUS_CONFIGURATION_ERROR" /* ConfigErrorStatus */
     );
+    if (config.analysisKinds.length === 1 && isCodeQualityEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because: "Code Quality is the only enabled analysis kind."
+      };
+    }
     try {
       return await maybeUploadFailedSarif(
         config,
diff --git a/src/init-action-post-helper.test.ts b/src/init-action-post-helper.test.ts
index bd911a8a97..e6f4243eaf 100644
--- a/src/init-action-post-helper.test.ts
+++ b/src/init-action-post-helper.test.ts
@@ -2,6 +2,7 @@ import test, { ExecutionContext } from "ava";
 import * as sinon from "sinon";
 
 import * as actionsUtil from "./actions-util";
+import { AnalysisKind } from "./analyses";
 import * as codeql from "./codeql";
 import * as configUtils from "./config-utils";
 import { Feature } from "./feature-flags";
@@ -296,6 +297,17 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
   t.truthy(result.upload_failed_run_stack_trace);
 });
 
+test("not uploading failed SARIF when `code-quality` is the only analysis kind", async (t) => {
+  const result = await testFailedSarifUpload(t, createTestWorkflow([]), {
+    analysisKinds: [AnalysisKind.CodeQuality],
+    expectUpload: false,
+  });
+  t.is(
+    result.upload_failed_run_skipped_because,
+    "Code Quality is the only enabled analysis kind.",
+  );
+});
+
 function createTestWorkflow(
   steps: workflow.WorkflowJobStep[],
 ): workflow.Workflow {
@@ -328,15 +340,18 @@ async function testFailedSarifUpload(
     expectUpload = true,
     exportDiagnosticsEnabled = false,
     matrix = {},
+    analysisKinds = [AnalysisKind.CodeScanning],
   }: {
     category?: string;
     databaseExists?: boolean;
     expectUpload?: boolean;
     exportDiagnosticsEnabled?: boolean;
     matrix?: { [key: string]: string };
+    analysisKinds?: AnalysisKind[];
   } = {},
 ): Promise<initActionPostHelper.UploadFailedSarifResult> {
   const config = createTestConfig({
+    analysisKinds,
     codeQLCmd: "codeql",
     debugMode: true,
     languages: [],
diff --git a/src/init-action-post-helper.ts b/src/init-action-post-helper.ts
index 7d46095e91..331a8c10b4 100644
--- a/src/init-action-post-helper.ts
+++ b/src/init-action-post-helper.ts
@@ -7,7 +7,7 @@ import * as actionsUtil from "./actions-util";
 import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
-import { Config } from "./config-utils";
+import { Config, isCodeQualityEnabled } from "./config-utils";
 import * as dependencyCaching from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -139,6 +139,16 @@ export async function tryUploadSarifIfRunFailed(
       EnvVar.JOB_STATUS,
       process.env[EnvVar.JOB_STATUS] ?? JobStatus.ConfigErrorStatus,
     );
+
+    // If the only enabled analysis kind is `code-quality`, then we shouldn't
+    // upload the failed SARIF to Code Scanning.
+    if (config.analysisKinds.length === 1 && isCodeQualityEnabled(config)) {
+      return {
+        upload_failed_run_skipped_because:
+          "Code Quality is the only enabled analysis kind.",
+      };
+    }
+
     try {
       return await maybeUploadFailedSarif(
         config,

From db6938a4d09a8af2acb1b29fe4cfa5592984e870 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Thu, 16 Oct 2025 15:00:12 +0100
Subject: [PATCH 3/3] Change check to be restrictive by default

---
 lib/init-action-post.js             | 8 ++++----
 src/init-action-post-helper.test.ts | 4 ++--
 src/init-action-post-helper.ts      | 7 +++----
 3 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index c1fb450bef..ebb33f2cb9 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -129786,8 +129786,8 @@ function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) {
   }
   return augmentedConfig;
 }
-function isCodeQualityEnabled(config) {
-  return config.analysisKinds.includes("code-quality" /* CodeQuality */);
+function isCodeScanningEnabled(config) {
+  return config.analysisKinds.includes("code-scanning" /* CodeScanning */);
 }
 
 // src/setup-codeql.ts
@@ -133753,9 +133753,9 @@ async function tryUploadSarifIfRunFailed(config, repositoryNwo, features, logger
       "CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */,
       process.env["CODEQL_ACTION_JOB_STATUS" /* JOB_STATUS */] ?? "JOB_STATUS_CONFIGURATION_ERROR" /* ConfigErrorStatus */
     );
-    if (config.analysisKinds.length === 1 && isCodeQualityEnabled(config)) {
+    if (!isCodeScanningEnabled(config)) {
       return {
-        upload_failed_run_skipped_because: "Code Quality is the only enabled analysis kind."
+        upload_failed_run_skipped_because: "Code Scanning is not enabled."
       };
     }
     try {
diff --git a/src/init-action-post-helper.test.ts b/src/init-action-post-helper.test.ts
index e6f4243eaf..b0afb9b8b9 100644
--- a/src/init-action-post-helper.test.ts
+++ b/src/init-action-post-helper.test.ts
@@ -297,14 +297,14 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
   t.truthy(result.upload_failed_run_stack_trace);
 });
 
-test("not uploading failed SARIF when `code-quality` is the only analysis kind", async (t) => {
+test("not uploading failed SARIF when `code-scanning` is not an enabled analysis kind", async (t) => {
   const result = await testFailedSarifUpload(t, createTestWorkflow([]), {
     analysisKinds: [AnalysisKind.CodeQuality],
     expectUpload: false,
   });
   t.is(
     result.upload_failed_run_skipped_because,
-    "Code Quality is the only enabled analysis kind.",
+    "Code Scanning is not enabled.",
   );
 });
 
diff --git a/src/init-action-post-helper.ts b/src/init-action-post-helper.ts
index 331a8c10b4..68bfda9a29 100644
--- a/src/init-action-post-helper.ts
+++ b/src/init-action-post-helper.ts
@@ -7,7 +7,7 @@ import * as actionsUtil from "./actions-util";
 import { CodeScanning } from "./analyses";
 import { getApiClient } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
-import { Config, isCodeQualityEnabled } from "./config-utils";
+import { Config, isCodeScanningEnabled } from "./config-utils";
 import * as dependencyCaching from "./dependency-caching";
 import { EnvVar } from "./environment";
 import { Feature, FeatureEnablement } from "./feature-flags";
@@ -142,10 +142,9 @@ export async function tryUploadSarifIfRunFailed(
 
     // If the only enabled analysis kind is `code-quality`, then we shouldn't
     // upload the failed SARIF to Code Scanning.
-    if (config.analysisKinds.length === 1 && isCodeQualityEnabled(config)) {
+    if (!isCodeScanningEnabled(config)) {
       return {
-        upload_failed_run_skipped_because:
-          "Code Quality is the only enabled analysis kind.",
+        upload_failed_run_skipped_because: "Code Scanning is not enabled.",
       };
     }