diff --git a/README.md b/README.md index e89333c..5ac4d8d 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ SSC issues currently checked for: | debug | Enable debug mode | No | false | | config | Path to the configuration file, relative to your project's root | No | - | | gradual_report | Enable gradual report functionality | No | true | -| fail_on_high_severity | Fail CI on high severity issues | No | true | +| fail_on_min_severity | Break CI if any issues with this severity (or higher) are found | No | critical | | x_to_fail | Percentage threshold to break CI on high or medium severity issues (per type of issue) | No | 5% of packages | | allow_pr_comment | Post analysis results as a PR comment if CI breaks | No | true | | comment_on_commit | Post analysis results as a commit comment if CI breaks | No | false | diff --git a/action.yml b/action.yml index 3d7a1a1..9241275 100644 --- a/action.yml +++ b/action.yml @@ -49,10 +49,10 @@ inputs: description: 'Enable gradual report functionality' required: false default: 'true' - fail_on_high_severity: - description: 'Break CI if high severity issues are found' + fail_on_min_severity: + description: 'Break CI if any issues with this severity (or higher) are found' required: false - default: 'true' + default: 'critical' x_to_fail: description: 'Percentage threshold for the number of high or medium severity issues to fail the CI' required: false @@ -105,7 +105,7 @@ runs: - name: Restore cache uses: actions/cache/restore@v4.2.3 id: restore-cache - if: inputs.ignore_cache != 'true' + if: ${{ inputs.ignore_cache != true && inputs.ignore_cache != 'true' }} with: path: tool/cache key: dirty-waters-cache-${{ runner.os }}-${{ inputs.project_repo }}-${{ inputs.github_event_before }} @@ -121,7 +121,7 @@ runs: git clone https://github.com/chains-project/dirty-waters.git cd dirty-waters # The version is pinned to the latest dirty-waters release at the time of the action release - DIRTY_WATERS_VERSION="v0.97.0" + DIRTY_WATERS_VERSION="6065c48e8d770adc9679a229ce31cfbe4f2aa99b" # change to main version before merge git checkout $DIRTY_WATERS_VERSION pip install -r requirements.txt @@ -195,13 +195,29 @@ runs: # Check for CI failure conditions CI_WILL_FAIL=0 - # Check for high severity issues - if [ "${{ inputs.fail_on_high_severity }}" == "true" ]; then - echo "[DEBUG] Fails on high severity, checking for any high severity issues" - if [[ $(cat "$latest_report" | grep -o "(⚠️⚠️⚠️): [0-9]*" | grep -o "[0-9]*" | sort -nr | head -n1) -gt 0 ]]; then - echo "High severity issues found. CI will fail." - CI_WILL_FAIL=1 + # Check if min-severity issues are in the report + if [ -n "${{ inputs.fail_on_min_severity }}" ]; then + declare -A severity_map=( ["low"]=1 ["medium"]=2 ["high"]=3 ["critical"]=4 ) + min_severity="${{ inputs.fail_on_min_severity }}" + min_level=${severity_map[$min_severity]} + + if [ -z "$min_level" ]; then + echo "[ERROR] Invalid value for fail_on_min_severity: $min_severity" + exit 1 fi + + echo "[DEBUG] Fail on severity level '$min_severity' and above (level $min_level)" + + for severity_level in $(seq "$min_level" 4); do + warning_icons=$(printf '⚠️%.0s' $(seq 1 "$severity_level")) + for count in $(cat "$latest_report" | grep -o "(${warning_icons}): [0-9]*" | grep -o "[0-9]*"); do + if [ "$count" -gt 0 ]; then + echo "Severity level $severity_level or higher issue(s) found. CI will fail." + CI_WILL_FAIL=1 + break + fi + done + done fi # function from https://unix.stackexchange.com/questions/137110/comparison-of-decimal-numbers-in-bash