"inconsistent fingerprint value" warning when uploading SARIF to GitHub Code Scanning

[johnbillion]

Describe the bug

I'm seeing a warning annotation in my GitHub Actions workflow runs when running Poutine with boostsecurityio/poutine-action and uploading the SARIF to GitHub Code Scanning using github/codeql-action/upload-sarif:

Warning: Calculated fingerprint of a9816991c6119a52:1 for file .github/workflows/reusable-deploy-tag.yml line 135, but found existing inconsistent fingerprint value 4cd97deb09213bc67a653eb6bfef2f1ad8ff49321c613dcf88998c549d344f29

Example workflow run: https://github.com/johnbillion/plugin-infrastructure/actions/runs/22165009558/job/64090286143#step:5:15

A brief look at Poutine and upload-sarif suggests that they're using a different means of generating the fingerprint, hence the warning.

To Reproduce

steps:
  - name: Checkout repository
    uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
    with:
      persist-credentials: false

  - name: Run Poutine
    uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2

  - name: Upload poutine SARIF file
    uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
    with:
      sarif_file: results.sarif
      category: poutine
      wait-for-processing: false

Expected behavior

I would not expect a warning in this scenario, however I appreciate that the warning is not actually coming from Poutine, so I'm not sure what the correct fix would be or where it should be made.

Screenshots

[fproulx-boostsecurity]

@SUSTAPLE117 I think that's been fixed recently ?