Use uploadSarif rather than uploadFiles in analyze action

[mbg]

This replaces the two calls to uploadFiles in the analyze action with one call to uploadSarif. We introduced uploadSarif in #3167 for the upload-sarif action. Using uploadSarif here means that we no longer use different implementations of the same logic in analyze and upload-sarif.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk:

Which use cases does this change impact?

• Advanced setup - Impacts users who have custom workflows.
• Default setup - Impacts users who use default setup.
• Code Scanning - Impacts Code Scanning (i.e. analysis-kinds: code-scanning).
• Code Quality - Impacts Code Quality (i.e. analysis-kinds: code-quality).
• GHES - Impacts GitHub Enterprise Server.

How did/will you validate this change?

• Test repository - This change will be tested on a test repository before merging.
• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
• End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• FF
• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[Copilot]

Pull Request Overview

This PR refactors the analyze action to use the uploadSarif function instead of making separate calls to uploadFiles for Code Scanning and Code Quality analyses. The change consolidates SARIF upload logic that was previously duplicated between the analyze and upload-sarif actions.

Key changes:

• Replaces two separate uploadFiles calls with a single uploadSarif call that handles both Code Scanning and Code Quality uploads
• Changes the upload result tracking from a single UploadResult to a record mapping analysis kinds to their respective results
• Updates all references to the upload results throughout the action to access the appropriate analysis kind

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/analyze-action.ts	Refactors upload logic to use uploadSarif and updates result handling to work with grouped results by analysis kind
lib/analyze-action.js	Generated JavaScript code reflecting the TypeScript changes, including new helper functions for SARIF file grouping

[esbena]

LGTM, with one optional code style comment.

[henrymercer]

This looks good. Thanks for adding the feature flag. I think you can update the classification in the PR description to low risk now.