Upload failed SARIF for risk assessments in init-post step

[mbg]

This modifies the init-post action to upload a failed SARIF as a workflow artifact for risk assessments. This mirrors what we do for Code Scanning, except there we upload the SARIF to the API.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

• Other first-party - The changes impact other first-party analyses.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.

How did/will you validate this change?

• Test repository - This change will be tested on a test repository before merging.
• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• Special considerations - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR enhances the init-post action to upload failed SARIF files as workflow artifacts when running risk assessments, extending the existing failure diagnostics infrastructure to support a new analysis type.

Changes:

• Refactored failed SARIF preparation logic to support both code scanning (uploaded to GitHub) and risk assessment (uploaded as artifacts)
• Added isRiskAssessmentEnabled helper function to check if risk assessment analysis is enabled
• Renamed run function to uploadFailureInfo in init-action-post-helper.ts to better reflect its purpose
• Added comprehensive test coverage for risk assessment artifact upload scenarios

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/init-action-post.ts	Updated function call from run to uploadFailureInfo
src/init-action-post-helper.ts	Refactored failed SARIF logic: extracted prepareFailedSarif and generateFailedSarif, added maybeUploadFailedSarifArtifact for risk assessments, improved conditional logic
src/init-action-post-helper.test.ts	Added tests for risk assessment artifact uploads (both diagnosticsExport and databaseExportDiagnostics paths) and edge cases
src/config-utils.ts	Added isRiskAssessmentEnabled helper function for checking risk assessment analysis kind
lib/init-action-post.js	Auto-generated JavaScript from TypeScript source (not reviewed)

Comments suppressed due to low confidence (1)

src/init-action-post-helper.ts:86

• Typo in the comment: "can contains" should be "can contain" (singular, not plural).

 * Tries to prepare a SARIF file that can contains information about a failed analysis.

[henrymercer]

This looks good. I like the way you've broken up the methods and the use of Result. Before merging, I'd like to see an end-to-end test similar to the "Submit SARIF after failure" PR check for risk assessment. CCR also has suggested some typo fixes.