Skip to content

Commit f9770de

Browse files
david-waltermiredavid-waltermire
committed
fix: improve CodeQL security-severity lookup and Link Checker formatting
- Fix CodeQL security-severity lookup to join results with rule definitions via ruleId (severity is on rules, not results) - Make Link Checker Results a visible heading with collapsible details for broken links list
1 parent 441aa92 commit f9770de

File tree

1 file changed

+17
-4
lines changed

1 file changed

+17
-4
lines changed

.github/workflows/build.yml

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -263,7 +263,17 @@ jobs:
263263
for sarif in codeql-results/*.sarif; do
264264
if [ -f "$sarif" ]; then
265265
# Check for error level OR security-severity >= 7.0 (high/critical)
266-
CODEQL_CRITICAL=$(jq -r '[.runs[0].results[] | select(.level == "error" or ((.properties["security-severity"] // "0") | tonumber >= 7.0))] | length' "$sarif" 2>/dev/null || echo "0")
266+
# Note: security-severity is on rule definitions, not results, so we join via ruleId
267+
CODEQL_CRITICAL=$(jq -r '
268+
# Collect security-severity from driver and extension rules
269+
(.runs[0].tool.driver.rules // []) as $driver_rules |
270+
([.runs[0].tool.extensions[]?.rules // []] | add // []) as $ext_rules |
271+
($driver_rules + $ext_rules | map({(.id): (.properties["security-severity"] // "0")}) | add // {}) as $severities |
272+
[.runs[0].results[] | select(
273+
.level == "error" or
274+
(($severities[.ruleId] // "0") | tonumber >= 7.0)
275+
)] | length
276+
' "$sarif" 2>/dev/null || echo "0")
267277
if [ "$CODEQL_CRITICAL" -gt 0 ]; then
268278
echo "::error::CodeQL found $CODEQL_CRITICAL critical/high severity issue(s)"
269279
FAILED=true
@@ -345,8 +355,7 @@ jobs:
345355
- name: Link Checker Summary
346356
if: ${{ !inputs.skip_linkcheck && always() }}
347357
run: |
348-
echo "<details>" >> $GITHUB_STEP_SUMMARY
349-
echo "<summary><strong>Link Checker Results</strong></summary>" >> $GITHUB_STEP_SUMMARY
358+
echo "## Link Checker Results" >> $GITHUB_STEP_SUMMARY
350359
echo "" >> $GITHUB_STEP_SUMMARY
351360
if [ -f "html-link-report.md" ]; then
352361
# Extract summary stats from the report
@@ -357,9 +366,14 @@ jobs:
357366
if [ "$ERRORS" -gt 0 ]; then
358367
echo ":x: **Found $ERRORS broken link(s)**" >> $GITHUB_STEP_SUMMARY
359368
echo "" >> $GITHUB_STEP_SUMMARY
369+
echo "<details>" >> $GITHUB_STEP_SUMMARY
370+
echo "<summary>View broken links</summary>" >> $GITHUB_STEP_SUMMARY
371+
echo "" >> $GITHUB_STEP_SUMMARY
360372
echo '```' >> $GITHUB_STEP_SUMMARY
361373
grep -E "^\[ERROR\]|^\[[45][0-9]{2}\]" html-link-report.md >> $GITHUB_STEP_SUMMARY
362374
echo '```' >> $GITHUB_STEP_SUMMARY
375+
echo "" >> $GITHUB_STEP_SUMMARY
376+
echo "</details>" >> $GITHUB_STEP_SUMMARY
363377
elif [ "$TIMEOUTS" -gt 0 ]; then
364378
echo ":warning: **$TIMEOUTS link(s) timed out** (external sites may be slow)" >> $GITHUB_STEP_SUMMARY
365379
else
@@ -369,7 +383,6 @@ jobs:
369383
echo ":warning: No link check report found." >> $GITHUB_STEP_SUMMARY
370384
fi
371385
echo "" >> $GITHUB_STEP_SUMMARY
372-
echo "</details>" >> $GITHUB_STEP_SUMMARY
373386
- name: Upload link check report
374387
if: ${{ !inputs.skip_linkcheck }}
375388
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f

0 commit comments

Comments
 (0)