Merge pull request #3474 from github/mbg/risk-assessment-analysis

Add `csra` analysis kind

.github/workflows/__analysis-kinds.yml

@@ -3,7 +3,7 @@
 #     pr-checks/sync.sh
 # to regenerate this file.
 
-name: PR Check - Quality queries input
+name: PR Check - Analysis kinds
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GO111MODULE: auto
@@ -29,9 +29,9 @@ defaults:
     shell: bash
 concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' || false }}
-  group: quality-queries-${{github.ref}}
+  group: analysis-kinds-${{github.ref}}
 jobs:
-  quality-queries:
+  analysis-kinds:
     strategy:
       fail-fast: false
       matrix:
@@ -45,6 +45,9 @@ jobs:
           - os: ubuntu-latest
             version: linked
             analysis-kinds: code-scanning,code-quality
+          - os: ubuntu-latest
+            version: linked
+            analysis-kinds: risk-assessment
           - os: ubuntu-latest
             version: nightly-latest
             analysis-kinds: code-scanning
@@ -54,7 +57,10 @@ jobs:
           - os: ubuntu-latest
             version: nightly-latest
             analysis-kinds: code-scanning,code-quality
-    name: Quality queries input
+          - os: ubuntu-latest
+            version: nightly-latest
+            analysis-kinds: risk-assessment
+    name: Analysis kinds
     if: github.triggering_actor != 'dependabot[bot]'
     permissions:
       contents: read
@@ -81,30 +87,24 @@ jobs:
           output: ${{ runner.temp }}/results
           upload-database: false
           post-processed-sarif-path: ${{ runner.temp }}/post-processed
-      - name: Upload security SARIF
-        if: contains(matrix.analysis-kinds, 'code-scanning')
+
+      - name: Upload SARIF files
         uses: actions/upload-artifact@v6
         with:
           name: |
-            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
-          path: ${{ runner.temp }}/results/javascript.sarif
-          retention-days: 7
-      - name: Upload quality SARIF
-        if: contains(matrix.analysis-kinds, 'code-quality')
-        uses: actions/upload-artifact@v6
-        with:
-          name: |
-            quality-queries-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.quality.sarif.json
-          path: ${{ runner.temp }}/results/javascript.quality.sarif
+            analysis-kinds-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
+          path: ${{ runner.temp }}/results/*.sarif
           retention-days: 7
+
       - name: Upload post-processed SARIF
         uses: actions/upload-artifact@v6
         with:
           name: |
-            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}.sarif.json
+            post-processed-${{ matrix.os }}-${{ matrix.version }}-${{ matrix.analysis-kinds }}
           path: ${{ runner.temp }}/post-processed
           retention-days: 7
           if-no-files-found: error
+
       - name: Check quality query does not appear in security SARIF
         if: contains(matrix.analysis-kinds, 'code-scanning')
         uses: actions/github-script@v8
@@ -122,6 +122,7 @@ jobs:
         with:
           script: ${{ env.CHECK_SCRIPT }}
     env:
+      CODEQL_ACTION_RISK_ASSESSMENT_ID: 1
       CHECK_SCRIPT: |
         const fs = require('fs');