CI: make Codacy SARIF upload resilient to empty runs

[abhimehro]

Codacy Security Scan has been intermittently failing at the SARIF upload step with:

Invalid request. 1 item required; only 0 were supplied.

The failing run showed github/codeql-action/upload-sarif@v3 attempting to upload results.sarif.

This PR adds a small normalization step that ensures the generated SARIF contains at least one runs entry before upload. GitHub code scanning rejects SARIF payloads with 0 runs, even when there are 0 findings.

SECURITY NOTE:

• The normalization step is local-only (no network calls) and does not touch secrets.
• It preserves existing SARIF content when runs are present.

Co-Authored-By: Warp agent@warp.dev

[trunk-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.

[Copilot]

Pull request overview

This PR addresses intermittent failures in the Codacy Security Scan workflow caused by GitHub's code scanning API rejecting SARIF files with empty runs arrays. The fix adds a normalization step that ensures at least one (empty) run entry exists in the SARIF output before upload.

Changes:

• Added a Python normalization script between the Codacy analysis and SARIF upload steps
• Script validates the SARIF file exists and contains valid JSON
• When runs is missing or empty, inserts a minimal valid SARIF run entry to satisfy GitHub's API requirements
• Preserves existing SARIF content when runs are already present

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.