github
diff --git a/‎CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/api-client.js
Lines changed: 10 additions & 0 deletions b/‎lib/api-client.js
Lines changed: 10 additions & 0 deletions
diff --git a/‎lib/api-client.js.map
Lines changed: 1 addition & 1 deletion b/‎lib/api-client.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/api-client.ts
Lines changed: 10 additions & 0 deletions b/‎src/api-client.ts
Lines changed: 10 additions & 0 deletions
@@ -8,6 +8,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 
 - Update default CodeQL bundle version to 2.16.2. [#2124](https://github.com/github/codeql-action/pull/2124)
 - The CodeQL action no longer fails if it can't write to the telemetry api endpoint. [#2121](https://github.com/github/codeql-action/pull/2121)
+- Users of GHES3.9+ and GHEC will no longer need to include `actions: read` permissions to use `upload-sarif` in private repositories.
 
 ## 3.24.0 - 02 Feb 2024
 
 
@@ -119,6 +119,16 @@ export async function getGitHubVersion(): Promise<GitHubVersion> {
  * Get the path of the currently executing workflow relative to the repository root.
  */
 export async function getWorkflowRelativePath(): Promise<string> {
+  const workflow_ref = process.env["GITHUB_WORKFLOW_REF"];
+  if (workflow_ref !== undefined) {
+    const workflowRegExp = new RegExp("^[^/]+/[^/]+/(.*?)@.*");
+    const match = workflow_ref.match(workflowRegExp);
+    if (match) {
+      return new Promise((resolve) => {
+        resolve(match[1]);
+      });
+    }
+  }
   const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
   const owner = repo_nwo[0];
   const repo = repo_nwo[1];