feat/annotations

* Added snippet and full file annotations

* Added comment in conversation with link to detailed match comments

* Added direct link to edit scanoss.json in undeclared policy check

* Added link to auto create scanoss.json file

* Chore: updated scanoss-py version to v1.32.0

* Added function to merge existing components in scanoss.json with undeclared components

* changed policies.halt_on_failure to false for test action

Author: Alex-1089

.github/workflows/test-action.yml

@@ -7,7 +7,7 @@ on:
       - '*'
 
 permissions:
-  contents: read
+  contents: write
   pull-requests: write
   checks: write
   actions: read
@@ -27,7 +27,9 @@ jobs:
         uses: ./
         with:
            dependencies.enabled: false
-           policies: copyleft
+           policies: copyleft, und
+           policies.halt_on_failure: 'false'
+           api.key: ${{ secrets.SC_API_KEY }}
 
 
       - name: Print stdout scan command

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.3] - 2025-09-18
+### Added
+- Added annotations for file and snippet matches
+- Added commit comment for each match
+- Added link to auto create scanoss.json file
+
 ## [1.2.2] - 2025-09-09
 ### Added
 - Added policies input trimming
@@ -125,3 +131,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.2.0]: https://github.com/scanoss/gha-code-scan/compare/v1.1.0...v1.2.0
 [1.2.1]: https://github.com/scanoss/gha-code-scan/compare/v1.2.0...v1.2.1
 [1.2.2]: https://github.com/scanoss/gha-code-scan/compare/v1.2.1...v1.2.2
+[1.2.3]: https://github.com/scanoss/gha-code-scan/compare/v1.2.2...v1.2.3

README.md

@@ -103,7 +103,7 @@ For example workflow runs, check out our
 | licenses.copyleft.include  | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list.                                                     | Optional     | -                                    |
 | licenses.copyleft.exclude  | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list.                                                       | Optional     | -                                    |
 | licenses.copyleft.explicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list.                                                              | Optional     | -                                    |
-| runtimeContainer           | Runtime URL                                                                                                                                              | Optional     | `ghcr.io/scanoss/scanoss-py:v1.31.5` |
+| runtimeContainer           | Runtime URL                                                                                                                                              | Optional     | `ghcr.io/scanoss/scanoss-py:v1.32.0` |
 | skipSnippets               | Skip the generation of snippets. (scanFiles option must be enabled)                                                                                      | Optional     | `false`                              |
 | scanFiles                  | Enable or disable file and snippet scanning                                                                                                              | Optional     | `true`                               |
 | scanossSettings            | Settings file to use for scanning. See the SCANOSS settings [documentation](https://scanoss.readthedocs.io/projects/scanoss-py/en/latest/#settings-file) | Optional     | `true`                               |

__tests__/github.utils.test.ts

@@ -22,7 +22,6 @@
 */
 
 import { context, getOctokit } from '@actions/github';
-import * as core from '@actions/core';
 import { getSHA, isPullRequest, createCommentOnPR, getFirstRunId } from '../src/utils/github.utils';
 
 // Mock external dependencies
@@ -34,10 +33,6 @@ jest.mock('../src/app.input', () => ({
 
 const mockOctokit = {
   rest: {
-    actions: {
-      getWorkflowRun: jest.fn(),
-      listWorkflowRuns: jest.fn()
-    },
     issues: {
       createComment: jest.fn()
     }
@@ -182,80 +177,22 @@ describe('GitHub Utils', () => {
   });
 
   describe('getFirstRunId', () => {
-    it('should return current runId for non-workflow_dispatch events', async () => {
-      (context.eventName as any) = 'push';
+    it('should always return current runId', async () => {
       (context.runId as any) = 98765;
+      (context.eventName as any) = 'push'; // Not workflow_dispatch
 
       const result = await getFirstRunId();
 
       expect(result).toBe(98765);
-      expect(mockOctokit.rest.actions.getWorkflowRun).not.toHaveBeenCalled();
-    });
-
-    it('should find first run for workflow_dispatch events', async () => {
-      (context.eventName as any) = 'workflow_dispatch';
-      (context.runId as any) = 12345;
-      (context.repo as any) = { owner: 'test-owner', repo: 'test-repo' };
-      (context.sha as any) = 'test-sha-123';
-
-      // Mock current workflow run
-      mockOctokit.rest.actions.getWorkflowRun.mockResolvedValue({
-        data: {
-          workflow_id: 'test-workflow',
-          head_sha: 'test-sha-123'
-        }
-      });
-
-      // Mock workflow runs list
-      mockOctokit.rest.actions.listWorkflowRuns.mockResolvedValue({
-        data: {
-          workflow_runs: [
-            { id: 11111, created_at: '2023-01-03T10:00:00Z', event: 'push', head_sha: 'test-sha-123' },
-            { id: 22222, created_at: '2023-01-02T10:00:00Z', event: 'push', head_sha: 'test-sha-123' },
-            { id: 33333, created_at: '2023-01-01T10:00:00Z', event: 'push', head_sha: 'test-sha-123' } // Oldest
-          ]
-        }
-      });
-
-      const infoSpy = jest.spyOn(core, 'info').mockImplementation();
-
-      const result = await getFirstRunId();
-
-      expect(result).toBe(33333); // Should return the oldest run
-      expect(infoSpy).toHaveBeenCalledWith('First Run ID found: 33333');
-
-      infoSpy.mockRestore();
     });
 
-    it('should return current runId if no first run is found', async () => {
-      (context.eventName as any) = 'workflow_dispatch';
+    it('should handle different run IDs', async () => {
       (context.runId as any) = 12345;
-
-      mockOctokit.rest.actions.getWorkflowRun.mockResolvedValue({
-        data: {
-          workflow_id: 'test-workflow',
-          head_sha: 'test-sha-123'
-        }
-      });
-
-      mockOctokit.rest.actions.listWorkflowRuns.mockResolvedValue({
-        data: {
-          workflow_runs: []
-        }
-      });
+      (context.eventName as any) = 'pull_request'; // Not workflow_dispatch
 
       const result = await getFirstRunId();
 
-      expect(result).toBe(12345); // Should return current runId as fallback
-    });
-
-    it('should throw API errors (no error handling in implementation)', async () => {
-      (context.eventName as any) = 'workflow_dispatch';
-      (context.runId as any) = 12345;
-
-      mockOctokit.rest.actions.getWorkflowRun.mockRejectedValue(new Error('API Error'));
-
-      await expect(getFirstRunId()).rejects.toThrow('API Error');
+      expect(result).toBe(12345);
     });
   });
 });

__tests__/undeclared-policy-check.test.ts

@@ -43,7 +43,8 @@ jest.mock('@actions/github', () => ({
   context: {
     repo: { owner: 'mock-owner', repo: 'mock-repo' },
     serverUrl: 'github',
-    runId: 12345678
+    runId: 12345678,
+    ref: 'refs/heads/test-branch'
     // Add other properties as needed
   },
   getOctokit: jest.fn().mockReturnValue({

action.yml

@@ -59,7 +59,7 @@ inputs:
     required: false
   runtimeContainer:
     description: 'Specify runtime container to perform the scan.'
-    default: 'ghcr.io/scanoss/scanoss-py:v1.31.5'
+    default: 'ghcr.io/scanoss/scanoss-py:v1.32.0'
     required: false
   skipSnippets:
     description: 'Skip the generation of snippets.'
@@ -100,6 +100,10 @@ inputs:
   deptrack.projectversion:
     description: 'Dependency Track project version'
     required: false
+  matchAnnotations:
+    description: 'Enable or disable match annotations'
+    required: false
+    default: 'true'
 
 outputs:
   result-filepath: