From dae3742b0a3b9e08acc580e15ef74bdc454d650a Mon Sep 17 00:00:00 2001
From: Paolo Tranquilli <redsun82@github.com>
Date: Wed, 10 Sep 2025 07:46:05 +0200
Subject: [PATCH 1/2] Dump soon to be uploaded SARIF on request

This introduces a new internal environment variable flag
(`CODEQL_ACTION_SARIF_DUMP_DIR`) that, when set to `true`, causes the
SARIF file that will be uploaded to be dumped to the specified
directory. The filename will be `upload.sarif` or `upload.quality.sarif`
depending on the upload target.
---
 lib/analyze-action.js      | 19 +++++++++++++++++++
 lib/init-action-post.js    | 19 +++++++++++++++++++
 lib/upload-lib.js          | 19 +++++++++++++++++++
 lib/upload-sarif-action.js | 19 +++++++++++++++++++
 src/environment.ts         |  6 ++++++
 src/upload-lib.ts          | 30 ++++++++++++++++++++++++++++++
 6 files changed, 112 insertions(+)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index 59c83e477b..a895f1254d 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -95612,6 +95612,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -95650,6 +95654,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
     sarifID
   };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs18.existsSync(outputDir)) {
+    fs18.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs18.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path18.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs18.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index 8f90107276..d6b6a7a948 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -133049,6 +133049,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -133087,6 +133091,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
     sarifID
   };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs17.existsSync(outputDir)) {
+    fs17.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs17.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path17.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs17.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 4f8e075ada..64e89d2e41 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -92421,6 +92421,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -92459,6 +92463,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
     sarifID
   };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs13.existsSync(outputDir)) {
+    fs13.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs13.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path14.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs13.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index fda852a528..0a23321269 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -93122,6 +93122,10 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
+  const dumpDir = process.env["CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = import_zlib.default.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -93160,6 +93164,21 @@ async function uploadSpecifiedFiles(sarifPaths, checkoutPath, category, features
     sarifID
   };
 }
+function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
+  if (!fs14.existsSync(outputDir)) {
+    fs14.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs14.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`
+    );
+  }
+  const outputFile = path15.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs14.writeFileSync(outputFile, sarifPayload);
+}
 var STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1e3;
 var STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1e3;
 async function waitForProcessing(repositoryNwo, sarifID, logger, options = {
diff --git a/src/environment.ts b/src/environment.ts
index f25e7270da..e78c367244 100644
--- a/src/environment.ts
+++ b/src/environment.ts
@@ -119,4 +119,10 @@ export enum EnvVar {
    * Whether to enable experimental extractors for CodeQL.
    */
   EXPERIMENTAL_FEATURES = "CODEQL_ENABLE_EXPERIMENTAL_FEATURES",
+
+  /**
+   * Whether and where to dump the processed SARIF file that would be uploaded, regardless of
+   * whether the upload is disabled. This is intended for testing and debugging purposes.
+   */
+  SARIF_DUMP_DIR = "CODEQL_ACTION_SARIF_DUMP_DIR",
 }
diff --git a/src/upload-lib.ts b/src/upload-lib.ts
index 8939e16944..8a2ca91c67 100644
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@@ -696,6 +696,12 @@ export async function uploadSpecifiedFiles(
   validateUniqueCategory(sarif, uploadTarget.sentinelPrefix);
   logger.debug(`Serializing SARIF for upload`);
   const sarifPayload = JSON.stringify(sarif);
+
+  const dumpDir = process.env[EnvVar.SARIF_DUMP_DIR];
+  if (dumpDir) {
+    dumpSarifFile(sarifPayload, dumpDir, logger, uploadTarget);
+  }
+
   logger.debug(`Compressing serialized SARIF`);
   const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = url.pathToFileURL(checkoutPath).href;
@@ -742,6 +748,30 @@ export async function uploadSpecifiedFiles(
   };
 }
 
+/**
+ * Dumps the given processed SARIF file contents to `outputDir`.
+ */
+function dumpSarifFile(
+  sarifPayload: string,
+  outputDir: string,
+  logger: Logger,
+  uploadTarget: analyses.AnalysisConfig,
+) {
+  if (!fs.existsSync(outputDir)) {
+    fs.mkdirSync(outputDir, { recursive: true });
+  } else if (!fs.lstatSync(outputDir).isDirectory()) {
+    throw new ConfigurationError(
+      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`,
+    );
+  }
+  const outputFile = path.resolve(
+    outputDir,
+    `upload${uploadTarget.sarifExtension}`,
+  );
+  logger.info(`Dumping processed SARIF file to ${outputFile}`);
+  fs.writeFileSync(outputFile, sarifPayload);
+}
+
 const STATUS_CHECK_FREQUENCY_MILLISECONDS = 5 * 1000;
 const STATUS_CHECK_TIMEOUT_MILLISECONDS = 2 * 60 * 1000;
 

From 4c534612bf77788909753a5602e96710156f5758 Mon Sep 17 00:00:00 2001
From: Paolo Tranquilli <redsun82@github.com>
Date: Wed, 10 Sep 2025 07:52:59 +0200
Subject: [PATCH 2/2] Tweak sarif dump log

---
 lib/analyze-action.js      | 2 +-
 lib/init-action-post.js    | 2 +-
 lib/upload-lib.js          | 2 +-
 lib/upload-sarif-action.js | 2 +-
 src/upload-lib.ts          | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/analyze-action.js b/lib/analyze-action.js
index a895f1254d..33c595fdc5 100644
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -95659,7 +95659,7 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
     fs18.mkdirSync(outputDir, { recursive: true });
   } else if (!fs18.lstatSync(outputDir).isDirectory()) {
     throw new ConfigurationError(
-      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
     );
   }
   const outputFile = path18.resolve(
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index d6b6a7a948..98bf415b09 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -133096,7 +133096,7 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
     fs17.mkdirSync(outputDir, { recursive: true });
   } else if (!fs17.lstatSync(outputDir).isDirectory()) {
     throw new ConfigurationError(
-      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
     );
   }
   const outputFile = path17.resolve(
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 64e89d2e41..d45968cd0a 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -92468,7 +92468,7 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
     fs13.mkdirSync(outputDir, { recursive: true });
   } else if (!fs13.lstatSync(outputDir).isDirectory()) {
     throw new ConfigurationError(
-      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
     );
   }
   const outputFile = path14.resolve(
diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js
index 0a23321269..7fbbcb3dc2 100644
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -93169,7 +93169,7 @@ function dumpSarifFile(sarifPayload, outputDir, logger, uploadTarget) {
     fs14.mkdirSync(outputDir, { recursive: true });
   } else if (!fs14.lstatSync(outputDir).isDirectory()) {
     throw new ConfigurationError(
-      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`
+      `The path specified by the ${"CODEQL_ACTION_SARIF_DUMP_DIR" /* SARIF_DUMP_DIR */} environment variable exists and is not a directory: ${outputDir}`
     );
   }
   const outputFile = path15.resolve(
diff --git a/src/upload-lib.ts b/src/upload-lib.ts
index 8a2ca91c67..650e7a803a 100644
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@@ -761,7 +761,7 @@ function dumpSarifFile(
     fs.mkdirSync(outputDir, { recursive: true });
   } else if (!fs.lstatSync(outputDir).isDirectory()) {
     throw new ConfigurationError(
-      `The path specified by the CODEQL_ACTION_SARIF_DUMP_DIR environment variable exists and is not a directory: ${outputDir}`,
+      `The path specified by the ${EnvVar.SARIF_DUMP_DIR} environment variable exists and is not a directory: ${outputDir}`,
     );
   }
   const outputFile = path.resolve(