In #3064, we overlooked that upload_lib.uploadFiles is called in the upload-sarif Action, which will fail if it cannot find any SARIF files matching the predicate it is given.

For a Code Quality only analysis, there are no Code Scanning SARIF files and the call to upload_lib.uploadFiles therefore fails before the Code Quality SARIF file(s) can be uploaded.

This PR refactors the upload-sarif Action so that there's common code for Code Scanning and Code Quality to upload either one file or several matching files.

There are some optional, other changes in this PR as well, which I can remove if needed:

• The UploadStatusReport values for each SARIF upload are now combined for telemetry if both analysis kinds are enabled. Otherwise, we use the respective UploadStatusReport.
• I have added a new sarif-ids output to the upload-sarif Action, which contains a stringified JSON object with details of the SARIF ids that we uploaded to different endpoints. Initially I went for just a comma-separated list of IDs, but I thought it would be useful to know which ID is for which service.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.