feat: only comment on commits/PRs if CI breaks (#9)

randomicecube · web-flow · commit f59e52727b93 · 2025-02-19T10:48:00.000+01:00
diff --git a/README.md b/README.md
@@ -6,13 +6,11 @@ Add this workflow to your repository to analyze dependencies in your pull reques
 
 The action will:
 
-<!-- TODO: make sure this first point is correct -->
-
-1. Run on commits that modify dependency files (OR in the first commit after the action is added)
-2. Analyze dependencies for software supply chain issues
+1. Run on commits that modify dependency files
+2. Analyze dependencies for software supply chain smells
 3. Post results:
-   1. If in a PR, will post the report as a comment
-   2. Otherwise, results are available in the action logs; if high severity issues are found, the report will be posted as a comment in the commit, if enabled
+   1. If in a PR, will post the report as a comment by default if CI fails
+   2. Otherwise, results are available in the action logs; if CI fails, the report may also be posted as a comment in the commit, if enabled
 4. Break CI if high severity issues are found, if enabled
 
 As an important note, **the first time you run this action, it _will_ take quite some time**!
@@ -45,8 +43,8 @@ SSC issues currently checked for:
 | no_gradual_report     | Disable gradual report functionality                                                               | No       | false          |
 | fail_on_high_severity | Fail CI on high severity issues                                                                    | No       | true           |
 | x_to_fail             | Percentage threshold to break CI on non-high severity issues (per type of issue)                   | No       | 5% of packages |
-| allow_pr_comment      | Comment on PR if high severity issues found                                                        | No       | true           |
-| comment_on_commit     | Comment on commit if high severity issues found                                                    | No       | false          |
+| allow_pr_comment      | Post analysis results as a PR comment if CI breaks                                                 | No       | true           |
+| comment_on_commit     | Post analysis results as a commit comment if CI breaks                                             | No       | false          |
 | latest_commit_sha     | Latest commit SHA, used to comment on commits                                                      | Yes      | -              |
 | github_event_before   | GitHub event before SHA, to retrieve the previous cache key                                        | Yes      | -              |
 | ignore_cache          | Ignore the repository cache for this run (true/false)                                              | No       | false          |
diff --git a/action.yml b/action.yml
@@ -58,11 +58,11 @@ inputs:
     required: false
     default: '5'
   allow_pr_comment:
-    description: 'Post analysis results as a PR comment if high severity issues are found'
+    description: 'Post analysis results as a PR comment if CI breaks'
     required: false
     default: 'true'
   comment_on_commit:
-    description: 'Post analysis results as a commit comment if high severity issues are found'
+    description: 'Post analysis results as a commit comment if CI breaks'
     required: false
     default: 'false'
   latest_commit_sha:
@@ -124,106 +124,122 @@ runs:
         GITHUB_API_TOKEN: ${{ inputs.github_token }}
       run: |
         cd dirty-waters/tool
-        
+
         # Copy cache if it exists
         if [ -d "$GITHUB_WORKSPACE/tool/cache" ]; then
           cp -r $GITHUB_WORKSPACE/tool/cache/ .
         fi
-        
+
         # Build command
         CMD="python main.py -p ${{ inputs.project_repo }} -v ${{ inputs.version_old }} -s -pm ${{ inputs.package_manager }}"
-        
+
         if [ "${{ inputs.differential_analysis }}" == "true" ]; then
             CMD="$CMD -vn ${{ inputs.version_new }} -d"
         fi
-        
+
         if [ -n "${{ inputs.name_match }}" ]; then
             CMD="$CMD -n"
         fi
-        
+
         if [ -n "${{ inputs.pnpm_scope }}" ]; then
             CMD="$CMD --pnpm-scope ${{ inputs.pnpm_scope }}"
         fi
-        
+
         if [ -n "${{ inputs.specified_smells }}" ]; then
             CMD="$CMD ${{ inputs.specified_smells }}"
         fi
-        
+
         if [ "${{ inputs.debug }}" == "true" ]; then
             CMD="$CMD --debug"
         fi
-        
+
         if [ "${{ inputs.no_gradual_report }}" == "true" ]; then
             CMD="$CMD --no-gradual-report"
         fi
-        
+
         echo "Running command: $CMD"
         eval $CMD
-        
+
         # Copy cache back
         cp -r cache/ "$GITHUB_WORKSPACE/tool/"
-        
+
         # Process results
         if [ ! -d "results" ]; then
             echo "An error occurred: no reports were generated"
             exit 1
         fi
-        
+
         if [ "${{ inputs.differential_analysis }}" == "true" ]; then
             latest_report=$(ls -t results/*/*_diff_summary.md | head -n1)
         else
             latest_report=$(ls -t results/*/*_static_summary.md | head -n1)
         fi
-        
+
         COMMENT=$(cat "$latest_report")
         cat "$latest_report" # Debug purposes: we always paste it in the logs
-        
-        # Handle PR comments
-        PR_NUMBER=$(jq -r ".pull_request.number" "$GITHUB_EVENT_PATH")
-        if [[ "$PR_NUMBER" != "null" && "${{ inputs.allow_pr_comment }}" == "true" ]]; then
-            curl -s -X POST \
-                -H "Accept: application/vnd.github.v3+json" \
-                -H "Authorization: token $GITHUB_TOKEN" \
-                "https://api.github.com/repos/${{ inputs.project_repo }}/issues/$PR_NUMBER/comments" \
-                -d "$(jq -n --arg body "$COMMENT" '{body: $body}')"
-        elif [ "${{ inputs.comment_on_commit }}" == "true" ]; then
+
+        # Check for CI failure conditions
+        CI_WILL_FAIL=0
+
+        # Check for high severity issues
+        if [ "${{ inputs.fail_on_high_severity }}" == "true" ]; then
             if [[ $(cat "$latest_report" | grep -o "(⚠️⚠️⚠️) [0-9]*" | grep -o "[0-9]*" | sort -nr | head -n1) -gt 0 ]]; then
+                echo "High severity issues found. CI will fail."
+                CI_WILL_FAIL=1
+            fi
+        fi
+
+        # Only check for threshold violations if we haven't already decided to fail
+        if [ $CI_WILL_FAIL -eq 0 ]; then
+            total_packages=$(cat "$latest_report" | grep -o "Total packages in the supply chain: [0-9]*" | grep -o "[0-9]*")
+            for severity in "⚠️⚠️⚠️" "⚠️⚠️" "⚠️"; do
+                for count in $(cat "$latest_report" | grep -o "($severity) [0-9]*" | grep -o "[0-9]*"); do
+                    if [[ $(echo "scale=2; $count / $total_packages * 100" | bc) -gt ${{ inputs.x_to_fail }} ]]; then
+                        echo "Number of $severity issues surpasses the threshold. CI will fail."
+                        CI_WILL_FAIL=1
+                        break 2  # Break both loops once we know we'll fail
+                    fi
+                done
+            done
+        fi
+
+        # Handle comments only if CI will fail
+        if [ $CI_WILL_FAIL -eq 1 ]; then
+            # Handle PR comments
+            PR_NUMBER=$(jq -r ".pull_request.number" "$GITHUB_EVENT_PATH")
+            if [[ "$PR_NUMBER" != "null" && "${{ inputs.allow_pr_comment }}" == "true" ]]; then
+                curl -s -X POST \
+                    -H "Accept: application/vnd.github.v3+json" \
+                    -H "Authorization: token $GITHUB_TOKEN" \
+                    "https://api.github.com/repos/${{ inputs.project_repo }}/issues/$PR_NUMBER/comments" \
+                    -d "$(jq -n --arg body "$COMMENT" '{body: $body}')"
+            fi
+
+            # Handle commit comments
+            if [ "${{ inputs.comment_on_commit }}" == "true" ]; then
                 curl -s -X POST \
                     -H "Accept: application/vnd.github.v3+json" \
                     -H "Authorization: token $GITHUB_TOKEN" \
                     "https://api.github.com/repos/${{ inputs.project_repo }}/commits/${{ inputs.latest_commit_sha }}/comments" \
                     -d "$(jq -n --arg body "$COMMENT" '{body: $body}')"
             fi
         fi
-        
+
         # Copy results
         cp -r results/* "$GITHUB_WORKSPACE/"
-        
-        # Check for high severity issues
-        if [ "${{ inputs.fail_on_high_severity }}" == "true" ]; then
-            if [[ $(cat "$latest_report" | grep -o "(⚠️⚠️⚠️) [0-9]*" | grep -o "[0-9]*" | sort -nr | head -n1) -gt 0 ]]; then
-                echo "High severity issues found. Failing the build"
-                exit 1
-            fi
+
+        # Exit with failure if CI_WILL_FAIL is set
+        if [ $CI_WILL_FAIL -eq 1 ]; then
+            exit 1
         fi
-        
-        total_packages=$(cat "$latest_report" | grep -o "Total packages in the supply chain: [0-9]*" | grep -o "[0-9]*")
-        for severity in "⚠️⚠️" "⚠️"; do
-            for count in $(cat "$latest_report" | grep -o "($severity) [0-9]*" | grep -o "[0-9]*"); do
-                if [[ $(echo "scale=2; $count / $total_packages * 100" | bc) -gt ${{ inputs.x_to_fail }} ]]; then
-                    echo "Number of $severity issues surpasses the threshold. Failing the build"
-                    exit 1
-                fi
-            done
-        done
 
     - name: Save cache
       uses: actions/cache/save@v4
       if: always()
       with:
         path: tool/cache
         key: dirty-waters-cache-${{ runner.os }}-${{ inputs.project_repo }}-${{ github.sha }}
-    
+
     - name: Break CI if analyses fail
       run: exit $(( steps.analysis.outcome == 'failure' ))
       shell: bash
