## Description Enable cora-cli to directly upload SARIF results to GitHub Code Scanning API, making review findings visible in the PR "Security" tab. ## Acceptance Criteria - [ ] `cora review --upload-sarif` uploads results via GitHub API - [ ] Auto-detects repository context from git remote - [ ] Supports `GITHUB_TOKEN` and `GH_TOKEN` for auth - [ ] Sets correct `run_id` and `tool` metadata in SARIF - [ ] Works in GitHub Actions (with `GITHUB_TOKEN`) and locally (with `GH_TOKEN`) ## Implementation Notes - Use `gh api` CLI or octocrab crate for GitHub API calls - SARIF spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/ - Reference: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
Description
Enable cora-cli to directly upload SARIF results to GitHub Code Scanning API, making review findings visible in the PR "Security" tab.
Acceptance Criteria
cora review --upload-sarifuploads results via GitHub APIGITHUB_TOKENandGH_TOKENfor authrun_idandtoolmetadata in SARIFGITHUB_TOKEN) and locally (withGH_TOKEN)Implementation Notes
gh apiCLI or octocrab crate for GitHub API calls