Only delete SARIF in PR check if not running on a fork (#2084)

src/analyze-action.ts

@@ -36,7 +36,6 @@ import { getTotalCacheSize, uploadTrapCaches } from "./trap-caching";
 import * as uploadLib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
 import * as util from "./util";
-import { checkForTimeout, wrapError } from "./util";
 
 interface AnalysisStatusReport
   extends uploadLib.UploadStatusReport,
@@ -355,7 +354,7 @@ async function run() {
     }
     core.exportVariable(EnvVar.ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
   } catch (unwrappedError) {
-    const error = wrapError(unwrappedError);
+    const error = util.wrapError(unwrappedError);
     if (
       actionsUtil.getOptionalInput("expect-error") !== "true" ||
       hasBadExpectErrorInput()
@@ -436,9 +435,9 @@ async function runWrapper() {
   try {
     await runPromise;
   } catch (error) {
-    core.setFailed(`analyze action failed: ${wrapError(error).message}`);
+    core.setFailed(`analyze action failed: ${util.wrapError(error).message}`);
   }
-  await checkForTimeout();
+  await util.checkForTimeout();
 }
 
 void runWrapper();

src/init-action-post-helper.ts

@@ -1,3 +1,5 @@
+import * as github from "@actions/github";
+
 import * as actionsUtil from "./actions-util";
 import { getApiClient } from "./api-client";
 import { getCodeQL } from "./codeql";
@@ -183,7 +185,14 @@ export async function run(
   }
 
   if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true") {
-    await removeUploadedSarif(uploadFailedSarifResult, logger);
+    if (!github.context.payload.pull_request?.head.repo.fork) {
+      await removeUploadedSarif(uploadFailedSarifResult, logger);
+    } else {
+      logger.info(
+        "Skipping deletion of failed SARIF because the workflow was triggered from a fork of " +
+          "codeql-action and doesn't have the appropriate permissions for deletion.",
+      );
+    }
   }
 
   // Upload appropriate Actions artifacts for debugging