codeql: publish the sarif file as build artifact

In some instances, CodeQL's web UI on github.com leaves questions
unanswered. For example, in some alerts it is really necessary to follow
the entire "taint flow" to understand why something might be an issue.

The alerts for the `cpp/uncontrolled-allocation-size` rule, for example,
are all false positives, and only when inspecting the exact flow does it
become obvious that one alert wants to point out that the size of a
binary patch hunk, which is specified in the patch, is then used to
determine how much memory to allocate, which may potentially run out of
memory (and is hence just Git doing what it is asked to, and does not
need to be changed).

To help with those issues, publish the `.sarif` file as part of every
workflow run; This allows downloading that file and inspecting it e.g.
with the SARIF viewer extension in VS Code (for details, see
https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer).

Signed-off-by: Johannes Schindelin <[email protected]>

Author: dscho

.github/workflows/codeql.yml

@@ -44,3 +44,21 @@ jobs:
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
+        with:
+          upload: False
+          output: sarif-results
+
+      - name: debug
+        shell: bash
+        run: ls -la sarif-results
+
+      - name: publish sarif for debugging
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif-results
+          path: sarif-results
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+         sarif_file: sarif-results/cpp.sarif