From 44b5714d07e67160ee860da7bb0aba9c9c5e6a81 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 3 Mar 2026 19:46:50 +0000
Subject: [PATCH 1/3] Initial plan


From e33ec509ad89aaafc9a2a60b70d8809b705f830c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 3 Mar 2026 19:50:56 +0000
Subject: [PATCH 2/3] Fix security-scan workflow: update CodeQL Action to v4
 and fix SARIF upload condition

Co-authored-by: IEvangelist <7679720+IEvangelist@users.noreply.github.com>
---
 .github/workflows/security-scan.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 7c0ad6c7b..5d9ba425e 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -46,6 +46,7 @@ jobs:
       continue-on-error: true
 
     - name: Trivy filesystem vulnerability scan (SARIF)
+      id: trivy
       uses: aquasecurity/trivy-action@0.24.0
       with:
         scan-type: fs
@@ -58,8 +59,8 @@ jobs:
       continue-on-error: true
 
     - name: Upload SARIF to GitHub code scanning
-      if: ${{ always() }}
-      uses: github/codeql-action/upload-sarif@v3
+      if: ${{ always() && steps.trivy.outcome == 'success' }}
+      uses: github/codeql-action/upload-sarif@v4
       with:
         sarif_file: trivy-results.sarif
 

From b15d538189dd8130cca080388c14d9af6f2bba2e Mon Sep 17 00:00:00 2001
From: David Pine <david.pine@microsoft.com>
Date: Tue, 3 Mar 2026 19:58:17 -0600
Subject: [PATCH 3/3] Update .github/workflows/security-scan.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/security-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 5d9ba425e..059f7d91c 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -59,7 +59,7 @@ jobs:
       continue-on-error: true
 
     - name: Upload SARIF to GitHub code scanning
-      if: ${{ always() && steps.trivy.outcome == 'success' }}
+      if: ${{ steps.trivy.outcome == 'success' && hashFiles('trivy-results.sarif') != '' }}
       uses: github/codeql-action/upload-sarif@v4
       with:
         sarif_file: trivy-results.sarif