If this works the same as it did locally then this will fix all of the alerts from https://github.com/github/codeql-action/security/code-scanning

Some of them were false positives because our analysis was mistakenly determining that all of the methods from the CodeQL object were called, when actually they were just defined. I fixed this by giving the analysis knowledge of the CodeQL object and how it is defined. I'm a little worried the knowledge is too specific, so for example we'll have to adjust the query if we rename the method, but since it's all in one repository at least this would be easy to do. Resolving the codeql functions is then just done by name, which hopefully will be good enough. Again I think this is a case of make the analysis good enough and if it's a bit of an over-approximation then we'll fix it in the future when it becomes a problem.

There was one true positive too that I have also fixed in this PR. I think we do still need this checkout_path input for the analyze action. I'm not sure we can rely on just always using the workspace directory for this action while allowing the user to specify another directory for the upload-sarif action. The user could have checked out their src to some subdirectory, though I do see this as an unlikely situation. I don't think there's any harm in adding the input in, when we have it for the upload-sarif action already.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Confirm the readme has been updated if necessary.