github
diff --git a/‎CHANGELOG.md
+1-1 b/‎CHANGELOG.md
+1-1
diff --git a/‎lib/api-client.js
+5-12 b/‎lib/api-client.js
+5-12
diff --git a/‎lib/api-client.js.map
+1-1 b/‎lib/api-client.js.map
+1-1
diff --git a/‎queries/default-setup-environment-variables.ql
+3-2 b/‎queries/default-setup-environment-variables.ql
+3-2
diff --git a/‎src/api-client.ts
+6-19 b/‎src/api-client.ts
+6-19
@@ -6,7 +6,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Users will no longer need to include `actions: read` permissions to use `upload-sarif` in private repositories.
 
 ## 3.25.6 - 20 May 2024
 
 
@@ -22,8 +22,9 @@ predicate isSafeForDefaultSetup(string envVar) {
       "GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL",
       "GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
       "GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
-      "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH",
-      "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"
+      "GITHUB_WORKFLOW_REF", "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS",
+      "RUNNER_ARCH", "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP",
+      "RUNNER_TOOL_CACHE"
     ]
 }
 
 
@@ -121,25 +121,12 @@ export async function getGitHubVersion(): Promise<GitHubVersion> {
  * Get the path of the currently executing workflow relative to the repository root.
  */
 export async function getWorkflowRelativePath(): Promise<string> {
-  const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
-  const owner = repo_nwo[0];
-  const repo = repo_nwo[1];
-  const run_id = Number(getRequiredEnvParam("GITHUB_RUN_ID"));
-
-  const apiClient = getApiClient();
-  const runsResponse = await apiClient.request(
-    "GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true",
-    {
-      owner,
-      repo,
-      run_id,
-    },
-  );
-  const workflowUrl = runsResponse.data.workflow_url;
-
-  const workflowResponse = await apiClient.request(`GET ${workflowUrl}`);
-
-  return workflowResponse.data.path;
+  const workflow_ref = process.env["GITHUB_WORKFLOW_REF"];
+  const workflowRegExp = new RegExp("^[^/]+/[^/]+/(.*?)@.*");
+  const match = workflow_ref?.match(workflowRegExp);
+  return new Promise((resolve) => {
+    resolve(match ? match[1] : '');
+  });
 }
 
 /**
Original file line number	Diff line number	Diff line change
`@@ -22,8 +22,9 @@ predicate isSafeForDefaultSetup(string envVar) {`
`22`	`22`	`"GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL",`
`23`	`23`	`"GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",`
`24`	`24`	`"GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",`
`25`		`- "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH",`
`26`		`- "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP", "RUNNER_TOOL_CACHE"`
	`25`	`+ "GITHUB_WORKFLOW_REF", "GITHUB_WORKSPACE", "GOFLAGS", "ImageVersion", "JAVA_TOOL_OPTIONS",`
	`26`	`+ "RUNNER_ARCH", "RUNNER_ENVIRONMENT", "RUNNER_NAME", "RUNNER_OS", "RUNNER_TEMP",`
	`27`	`+ "RUNNER_TOOL_CACHE"`
`27`	`28`	`]`
`28`	`29`	`}`
`29`	`30`