As noted in #2121 (comment) and #2117 (comment), check-spelling has special code to handle the case where a user thinks they can use security-events: ... to talk to sarif reporting, but they're in a private repository and that repository doesn't have GitHub Advanced Security enabled:

https://github.com/check-spelling/check-spelling/blob/26b46adbdebd5dd0b34c7155113d50c40f43fb22/unknown-words.sh#L1610-L1618
https://github.com/check-spelling/check-spelling/blob/26b46adbdebd5dd0b34c7155113d50c40f43fb22/unknown-words.sh#L1122-L1126

Which results in this (more or less):

Check Spelling: .github/workflows/spelling.yml#L106
Unsupported configuration: use_sarif needs GitHub Advanced Security to be enabled - see https://docs.github.com/get-started/learning-about-github/about-github-advanced-security. (unsupported-configuration)

The codeql-action should have some code to handle this as well.

Ideally it'd do it in a way that is not fatal to actions/workflows that consume it.

check-spelling has to carefully decide not to call github/codeql-action today if it figures out that it'll fail, otherwise the action/workflow die because of this fault.