Split SARIF files with multiple runs for GitHub code scanning compliance

[Copilot]

GitHub's code scanning API now rejects SARIF files containing multiple runs with the same category (effective July 2025). Codacy often generates multi-run SARIF files, causing upload failures.

Changes

Split logic: Added Python script to detect and split multi-run SARIF files into individual files, one run per file. Single-run files pass through unchanged.

Upload strategy:

• Single run → upload original results.sarif
• Multiple runs → upload results-{0..9}.sarif with unique categories (codacy-run-0, etc.)
• Conditional steps use hashFiles() to skip missing files

Error handling: Validates file existence and JSON structure; outputs step variable (single_run) to control upload flow.

Scalability: Supports up to 10 runs; warns if more detected.

# Split step creates results-0.sarif, results-1.sarif, etc.
- name: Split SARIF file into individual runs
  run: |
    python3 << 'EOF'
    # Reads results.sarif, splits if len(sarif['runs']) > 1
    # Preserves $schema, version; writes single_run output
    EOF

# Each split file uploads with unique category
- name: Upload SARIF results file - Run 0
  if: hashFiles('results-0.sarif') != ''
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results-0.sarif
    category: codacy-run-0

Reference: https://github.blog/changelog/2025-07-21-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file/

Original prompt

Update the Codacy Security Scan workflow to comply with GitHub's new SARIF upload requirements (July 2025). Currently, uploading a SARIF file with multiple runs causes the following error: "The CodeQL Action does not support uploading multiple SARIF runs with the same category." The workflow is modified to split the resulting SARIF into individual run files and upload each separately, according to https://github.blog/changelog/2025-07-21-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file/.

This pull request was created as a result of the following prompt from Copilot chat.

Update the Codacy Security Scan workflow to comply with GitHub's new SARIF upload requirements (July 2025). Currently, uploading a SARIF file with multiple runs causes the following error: "The CodeQL Action does not support uploading multiple SARIF runs with the same category." The workflow is modified to split the resulting SARIF into individual run files and upload each separately, according to https://github.blog/changelog/2025-07-21-code-scanning-will-stop-combining-multiple-sarif-runs-uploaded-in-the-same-sarif-file/.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.