diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml index 1d856652..2f69a868 100644 --- a/.github/workflows/differential-shellcheck.yml +++ b/.github/workflows/differential-shellcheck.yml @@ -36,7 +36,16 @@ jobs: sed -i "s/docker:\/\/ghcr\.io\/redhat-plumbers-in-action\/differential-shellcheck.*/Dockerfile/g" action.yml - name: Differential ShellCheck - test current changes + id: ShellCheck uses: ./ with: shell-scripts: .github/.differential-shellcheck-scripts.txt token: ${{ secrets.GITHUB_TOKEN }} + + - if: ${{ always() }} + name: Upload artifact with defects in SARIF format + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + with: + name: Differential ShellCheck SARIF + path: ${{ steps.ShellCheck.outputs.sarif }} + retention-days: 7 diff --git a/README.md b/README.md index a6c3529e..1d4ba943 100644 --- a/README.md +++ b/README.md @@ -80,10 +80,18 @@ jobs: with: fetch-depth: 0 - - name: Differential ShellCheck + - id: ShellCheck + name: Differential ShellCheck uses: redhat-plumbers-in-action/differential-shellcheck@v4 with: token: ${{ secrets.GITHUB_TOKEN }} + + - if: ${{ always() }} + name: Upload artifact with ShellCheck defects in SARIF format + uses: actions/upload-artifact@v3 + with: + name: Differential ShellCheck SARIF + path: ${{ steps.ShellCheck.outputs.sarif }} ``` > **Warning**: _`fetch-depth: 0` is required in order to run `differential-shellcheck` successfully._ @@ -273,6 +281,35 @@ Token needs to have the following [characteristics](https://docs.github.com/en/r * Token with the `security_events: write` scope to use this endpoint for private repositories. * Token with the `public_repo` scope for **public repositories only**. +If the `token` isn't passed, SARIF file can be uploaded manually using [sarif from outputs](#sarif) and [github/codeql-action/upload-sarif](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions) GitHub Action. + +## Outputs + +Differential ShellCheck exposes following [outputs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs). + +### sarif + +Relative path to SARIF file containing detected defects. Example of use: + +```yaml +- id: ShellCheck + name: Differential ShellCheck + uses: redhat-plumbers-in-action/differential-shellcheck@v4 + +- if: ${{ always() }} + name: Upload artifact with ShellCheck defects in SARIF format + uses: actions/upload-artifact@v3 + with: + name: Differential ShellCheck SARIF + path: ${{ steps.ShellCheck.outputs.sarif }} + +- if: ${{ always() }} + name: Upload SARIF to GitHub using github/codeql-action/upload-sarif + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.ShellCheck.outputs.sarif }} +``` + ## Limitations * `differential-shellcheck` Action doesn't run correctly when overwriting commits using `--force` and when the triggering event is `push`. diff --git a/action.yml b/action.yml index 3a28fd92..490cf40d 100644 --- a/action.yml +++ b/action.yml @@ -74,6 +74,10 @@ inputs: description: GitHub TOKEN used to upload SARIF data. required: false +outputs: + sarif: + description: 'The SARIF file containing defects' + runs: using: docker image: docker://ghcr.io/redhat-plumbers-in-action/differential-shellcheck:v3.3.1 diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index d90310d0..4912f030 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -19,6 +19,7 @@ fetch-depth: 0 - uses: redhat-plumbers-in-action/differential-shellcheck@v4 + id: ShellCheck with: token: ${{ secrets.GITHUB_TOKEN }} ``` @@ -27,6 +28,18 @@ * Action now perform full scans on `push` event by default and on `manual` trigger when requested * Addition of new Summary page for full scans +* SARIF file is now exposed under output `sarif` for further use. + + ```yaml + - if: ${{ always() }} + name: Upload artifact with defects in SARIF format + uses: actions/upload-artifact@v3 + with: + name: Differential ShellCheck SARIF + path: ${{ steps.ShellCheck.outputs.sarif }} + retention-days: 7 + ``` + * Removal of unused output - `ENV.LIST_OF_SCRIPTS` * Increased code coverage * Some minor bugfixes, ShellCheck fixes, and CI updates diff --git a/src/index.sh b/src/index.sh index 9cd58599..29237d7b 100755 --- a/src/index.sh +++ b/src/index.sh @@ -93,26 +93,30 @@ echo evaluate_and_print_defects exit_status=$? +# Upload all defects when Full scan was requested +if [[ ${FULL_SCAN} -eq 0 ]]; then + cp ../full-shellcheck.err ../sarif-defects.log +else + cp ../defects.log ../sarif-defects.log +fi + +# GitHub requires an absolute path, so let's remove the './' prefix from it. +# TODO: Don't hardcode ShellCheck version +csgrep \ + --strip-path-prefix './' \ + --mode=sarif \ + --set-scan-prop='tool:ShellCheck' \ + --set-scan-prop='tool-version:0.8.0' \ + --set-scan-prop='tool-url:https://www.shellcheck.net/wiki/' \ + '../sarif-defects.log' >> output.sarif + +echo "sarif=output.sarif" >> "${GITHUB_OUTPUT}" + # SARIF upload if [[ -n "${INPUT_TOKEN}" ]]; then echo - # Upload all defects when Full scan was requested - if [[ ${FULL_SCAN} -eq 0 ]]; then - cp ../full-shellcheck.err ../sarif-defects.log - else - cp ../defects.log ../sarif-defects.log - fi - - # GitHub requires an absolute path, so let's remove the './' prefix from it. - # TODO: Don't hardcode ShellCheck version - csgrep \ - --strip-path-prefix './' \ - --mode=sarif \ - --set-scan-prop='tool:ShellCheck' \ - --set-scan-prop='tool-version:0.8.0' \ - --set-scan-prop='tool-url:https://www.shellcheck.net/wiki/' \ - '../sarif-defects.log' >> output.sarif && uploadSARIF + uploadSARIF fi summary >> "${GITHUB_STEP_SUMMARY}"