Generate the "Submit SARIF after failure" workflow

pr-checks/checks/submit-sarif-failure.yml

@@ -0,0 +1,32 @@
+name: Submit SARIF after failure
+description: Check that a SARIF file is submitted for the workflow run if it fails
+versions: ["latest", "cached", "nightly-latest"]
+operatingSystems: ["ubuntu"]
+
+env:
+  # Internal-only environment variable used to indicate that the post-init Action
+  # should expect to upload a SARIF file for the failed run.
+  CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF: true
+  # Make sure the uploading SARIF files feature is enabled.
+  CODEQL_ACTION_UPLOAD_FAILED_SARIF: true
+  # Upload the failed SARIF file as an integration test of the API endpoint.
+  CODEQL_ACTION_TEST_MODE: false
+
+steps:
+  - uses: actions/checkout@v3
+  - uses: ./init
+    with:
+      languages: javascript
+  - name: Fail
+    # We want this job to pass if the Action correctly uploads the SARIF file for
+    # the failed run.
+    # Setting this step to continue on error means that it is marked as completing
+    # successfully, so will not fail the job.
+    continue-on-error: true
+    run: exit 1
+  - uses: ./analyze
+    # In a real workflow, this step wouldn't run. Since we used `continue-on-error`
+    # above, we manually disable it with an `if` condition.
+    if: false
+    with:
+      category: "/test-codeql-version:${{ matrix.version }}"

pr-checks/sync.py

@@ -115,7 +115,8 @@ def writeHeader(checkStream):
             checkJob[key] = checkSpecification[key]
 
     checkJob['env'] = checkJob.get('env', {})
-    checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
+    if 'CODEQL_ACTION_TEST_MODE' not in checkJob['env']:
+        checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
     checkName = file[:len(file) - 4]
 
     with open(f"../.github/workflows/__{checkName}.yml", 'w') as output_stream: