Upload per-database diagnostic SARIFs on green and red runs

[angelapwen]

On failed runs we now call codeql database diagnostic-export to create and upload a SARIF file for per-database diagnostics. If this file was not created, we fall back on the original behavior of uploading the result of codeql export diagnostics.

On successful runs, we add the --sarif-include-diagnostics option to the codeql database interpret-results command.

Both the addition of the option to the interpret-results call, and the codeql database diagnostic-export call, are gated behind the ExportDiagnosticsEnabled feature flag.

We test the green run scenario with an integration test that adds a diagnostic prior to the analyze step, with the feature flag environment variable override to enable the feature. We check the SARIF file generated to make sure it includes the manually added diagnostic.

[GitHub internal only]: we test the red run scenario by writing a similar workflow as the one in the integration test, but failing the workflow after adding the diagnostic. See run and corresponding tool status page for the surfaced diagnostic.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Confirm the readme has been updated if necessary.
• Confirm the changelog has been updated if necessary.

[henrymercer]

In the green runs path, we call codeql database interpret-results once per database to produce a SARIF file per DB, combine all these SARIF files together, and then submit a single SARIF file. This has different behaviour to uploading each SARIF file separately, since code scanning will overwrite the existing data for that category each time you upload a new SARIF file.

I think for red runs we can do something simpler — config.dbLocation should always be a DB cluster (at least for all CodeQL versions that support diagnostics). Therefore we should be able to run codeql database export-diagnostics once on that DB cluster and submit the resulting SARIF file.

[angelapwen]

Unrelated CI failures that I'll fix in a separate PR!

[henrymercer]

Looking good so far. An integration test might be tricky to write due to most of the work happening in post-init. We could work around that by creating a separate Action for the test (like we did for the query filters tests), but I'd be happy to merge this with detailed unit tests instead.

[angelapwen]

I've addressed the existing comments other than testing. I need to update some of the existing unit tests to reflect the new behavior, as well as write new ones to confirm that the appropriate export command is called as expected ✍️

[henrymercer]

Nice!

[henrymercer]

I think this will work with the current implementation, but we probably don't want to rely on the ordering of the SARIF file in general. Could we convert this to instead check inclusion?

[angelapwen]

Yep! Done. Not sure if there's a cleaner way to check for inclusion (maybe if I used a filter and checked if there were any elements left afterwards..?)

[henrymercer]

Filtering might be slightly neater. You could then also check we have exactly one diagnostic with that ID.

[angelapwen]

Ah, that's a benefit — done!

[henrymercer]

I'd recommend using some functional list methods to simplify the tests, otherwise LGTM