github
diff --git a/‎lib/actions-util.js
+1 b/‎lib/actions-util.js
+1
diff --git a/‎lib/actions-util.js.map
+1-1 b/‎lib/actions-util.js.map
+1-1
diff --git a/‎lib/upload-lib.js
+1-1 b/‎lib/upload-lib.js
+1-1
diff --git a/‎lib/upload-lib.js.map
+1-1 b/‎lib/upload-lib.js.map
+1-1
diff --git a/‎lib/upload-lib.test.js
+8 b/‎lib/upload-lib.test.js
+8
diff --git a/‎lib/upload-lib.test.js.map
+1-1 b/‎lib/upload-lib.test.js.map
+1-1
diff --git a/‎src/actions-util.ts
+1 b/‎src/actions-util.ts
+1
diff --git a/‎src/upload-lib.test.ts
+10 b/‎src/upload-lib.test.ts
+10
diff --git a/‎src/upload-lib.ts
+17-3 b/‎src/upload-lib.ts
+17-3
@@ -85,6 +85,7 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
     core.info(
       `Failed to call git to get current commit. Continuing with data from environment: ${e}`
     );
+    core.info((e as Error).stack || "NO STACK");
     return getRequiredEnvParam("GITHUB_SHA");
   }
 };
 
@@ -185,4 +185,14 @@ test("validateUniqueCategory", (t) => {
 
   t.notThrows(() => uploadLib.validateUniqueCategory("def"));
   t.throws(() => uploadLib.validateUniqueCategory("def"));
+
+  // Our category sanitization is not perfect. Here are some examples
+  // of where we see false clashes
+  t.notThrows(() => uploadLib.validateUniqueCategory("abc/def"));
+  t.throws(() => uploadLib.validateUniqueCategory("abc@def"));
+  t.throws(() => uploadLib.validateUniqueCategory("abc_def"));
+  t.throws(() => uploadLib.validateUniqueCategory("abc def"));
+
+  // this one is fine
+  t.notThrows(() => uploadLib.validateUniqueCategory("abc_ def"));
 });
@@ -404,15 +404,29 @@ async function uploadFiles(
 export function validateUniqueCategory(category: string | undefined) {
   if (util.isActions()) {
     // This check only works on actions as env vars don't persist between calls to the runner
-    const sentinelEnvVar = `CODEQL_UPLOAD_SARIF + ${
-      category ? `_${category}` : ""
+    const sentinelEnvVar = `CODEQL_UPLOAD_SARIF${
+      category ? `_${sanitize(category)}` : ""
     }`;
     if (process.env[sentinelEnvVar]) {
       throw new Error(
         "Aborting upload: only one run of the codeql/analyze or codeql/upload-sarif actions is allowed per job per category. " +
-          "Please specify a unique `category` to call this action multiple times."
+          "Please specify a unique `category` to call this action multiple times. " +
+          `Category: ${category ? category : "(none)"}`
       );
     }
     core.exportVariable(sentinelEnvVar, sentinelEnvVar);
   }
 }
+
+/**
+ * Santizes a string to be used as an environment variable name.
+ * This will replace all non-alphanumeric characters with underscores.
+ * There could still be some false category clashes if two uploads
+ * occur that differ only in their non-alphanumeric characters. This is
+ * unlikely.
+ *
+ * @param str the initial value to sanitize
+ */
+function sanitize(str: string) {
+  return str.replace(/[^a-zA-Z0-9_]/g, "_");
+}
Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,7 @@ export const getCommitOid = async function (ref = "HEAD"): Promise<string> {`
`85`	`85`	`core.info(`
`86`	`86`	`Failed to call git to get current commit. Continuing with data from environment: ${e}`
`87`	`87`	`);`
	`88`	`+ core.info((e as Error).stack \|\| "NO STACK");`
`88`	`89`	`return getRequiredEnvParam("GITHUB_SHA");`
`89`	`90`	`}`
`90`	`91`	`};`