Fix upload-sarif potentially initialising CodeQL twice (second attempt)

[mbg]

This is a fresh attempt at #3006 based on the suggestion in #3006 (review).

This wasn't a priority to fix, but I am working on something else that requires a CodeQL instance in upload-sarif and thought it would make sense to address this first.

Risk assessment

For internal use only. Please select the risk level of this change:

• High risk: Changes are not fully under feature flags, have limited visibility and/or cannot be tested outside of production.

Which use cases does this change impact?

Workflow types:

• Advanced setup - Impacts users who have custom CodeQL workflows.
• Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.
• Other first-party - The changes impact other first-party analyses.
• Third-party analyses - The changes affect the upload-sarif action.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
• GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

• Test repository - This change will be tested on a test repository before merging.
• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull request overview

This PR refactors the upload-sarif flow to avoid potentially initializing the CodeQL CLI more than once by moving CodeQL acquisition/initialization earlier and threading a shared CodeQL getter + temp directory through SARIF post-processing.

Changes:

• Extend postProcessAndUploadSarif / postProcessSarifFiles to accept a CodeQLGetter and temp directory, so combining SARIF via CLI can reuse a single CodeQL instance.
• Add getOrInitCodeQL caching in upload-sarif-action and introduce minimalInitCodeQL in upload-lib for upload-only initialization.
• Update call sites and tests (analyze, init post helper, and upload-sarif tests) for the new parameter flow.

Reviewed changes

Copilot reviewed 7 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/upload-sarif.ts	Threads tempPath + getCodeQL into SARIF post-processing.
src/upload-sarif.test.ts	Updates stubs/calls to match the new postProcessAndUploadSarif signature.
src/upload-sarif-action.ts	Adds cached CodeQL initialization and ensures temp dir/config are determined up front.
src/upload-lib.ts	Introduces minimalInitCodeQL, adds CodeQLGetter, and propagates getter/temp dir into CLI SARIF combining + upload flow.
src/init-action-post-helper.ts	Updates failed-SARIF upload to pass tempDir + codeql into uploadFiles.
src/init-action-post-helper.test.ts	Adjusts expectations for updated uploadFiles signature.
src/analyze-action.ts	Passes config.tempDir and a CodeQLGetter into postProcessAndUploadSarif.

[henrymercer]

Looks good, but do we actually have a PR check that tests this behaviour? It would need to:

• not call init
• upload multiple SARIF files

[henrymercer]

Drive-by cleanup: Remove this arg?