We're using "Android Lint" to generate a sarif file. The sarif locations use this pattern:

            "originalUriBaseIds": {
                "%SRCROOT%": {
                    "uri": "file:///runner/_work/myrepo/myrepo/some/repo/dir/"
                }
            },
            ...
                             "physicalLocation": {
                                "artifactLocation": {
                                    "uriBaseId": "%SRCROOT%",
                                    "uri": "src/main/kotlin/Foo.kt"
                                },

The artifact location is relative to this uriBaseId. This is a reference to originalUriBaseIds, which the SARIF spec says should be used by consumers to find the absolute path.

However, the upload-sarif action debug logs show lines such as this:

##[debug]Unable to compute fingerprint for non-existent file: /runner/_work/myrepo/myrepo/src/main/kotlin/Foo.kt

which shows that it's not resolving paths using that %SRCROOT% path -- the correct path would be /runner/_work/myrepo/myrepo/some/repo/dir/src/main/kotlin/Foo.kt. We also see that the code scanning page says src/main/kotlin/Foo.kt can't be found in our repo ("Sorry, we couldn't find this file in the repository.").

(Caveat: we're using v2 because we can't use node20 in our private runners yet)