@samth I have a fix for this problem. Can submit a PR. The question is, has it ever worked? I don’t see any annotation on GitHub (https://github.com/racket/racket/security)

Also, I’m confused. The content of the SARIF files is in this format:

"artifacts": [ { "length": 206345, "location": { "uri": "file:///__w/racket/racket/racket/src/zuo/zuo.c" }, "mimeType": "text/plain", "roles": [ "resultFile" ] } Does GitHub understand paths that start with __w?

Another question: in the workflow, 3m and CS are built by building CGC first, and then use --enable-racket=/usr/bin/racket. Is it actually worth it compared to building the variants directly right away?

It does work you just can’t see the results because it’s “security”

I think it saves a bit of time

Ah, right.

I think the file path I mentioned above is an issue. In my local repo, this is what I see

Looks like file:///__w/racket/racket/ should be stripped away

which is weird because it used to work last year