fix: correct SARIF fix to remove entire invalid fixes entries

Previous attempts:
1. Converting invalid artifactChanges to empty arrays [] - failed with "minimum length of 1"
2. Deleting artifactChanges field - failed with "requires property artifactChanges"

Root cause: SARIF spec requires fix objects to have valid artifactChanges arrays (non-empty).
Solution: Remove entire fix entries that don't have valid artifactChanges, rather than trying to fix the field.

Validation:
- Tested locally with gosec output
- Invalid fixes (description only) → removed entirely
- Valid fixes (with artifactChanges) → preserved
- Results with no fixes → unchanged

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

Author: arimxyer

.github/workflows/ci.yml

@@ -154,7 +154,7 @@ jobs:
 
       - name: Fix SARIF format
         run: |
-          jq 'del(.runs[].results[].fixes[]? | select(has("artifactChanges") and (.artifactChanges | type != "array" or length == 0)) | .artifactChanges)' results.sarif > results-fixed.sarif
+          jq '.runs[].results[] |= if .fixes then .fixes |= map(select(.artifactChanges and (.artifactChanges | type == "array" and length > 0))) else . end' results.sarif > results-fixed.sarif
           mv results-fixed.sarif results.sarif
 
       - name: Upload SARIF file

.github/workflows/security-scan.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Fix SARIF format
         run: |
-          jq 'del(.runs[].results[].fixes[]? | select(has("artifactChanges") and (.artifactChanges | type != "array" or length == 0)) | .artifactChanges)' results.sarif > results-fixed.sarif
+          jq '.runs[].results[] |= if .fixes then .fixes |= map(select(.artifactChanges and (.artifactChanges | type == "array" and length > 0))) else . end' results.sarif > results-fixed.sarif
           mv results-fixed.sarif results.sarif
 
       - name: Verify SARIF fix