Skip to content

feat/annotations #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 59 commits into from
Sep 24, 2025
Merged

feat/annotations #97

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
59 commits
Select commit Hold shift + click to select a range
b8e4aa4
Added snippet and full file annotations
Alex-1089 Sep 16, 2025
6413a71
Fixed line parsing issue
Alex-1089 Sep 16, 2025
530585b
Workaround for github annotation limit
Alex-1089 Sep 16, 2025
d0c3582
Fixing commit comments
Alex-1089 Sep 17, 2025
3df8399
Improved annotations. Added comment in conversation with link to deta…
Alex-1089 Sep 17, 2025
217adbb
Added direct link to edit scanoss.json in undeclared policy check
Alex-1089 Sep 17, 2025
b36d451
Added logic to link creation in undeclared policy check
Alex-1089 Sep 17, 2025
a8c37e7
Fixed link to scanoss.json
Alex-1089 Sep 17, 2025
037e512
Adding link auto create scanoss.json file
Alex-1089 Sep 17, 2025
4db04e1
Create link now adds json to scanoss.json
Alex-1089 Sep 17, 2025
5c719f3
Switched link to markdown
Alex-1089 Sep 17, 2025
ad9e30d
Chore: updated scanoss-py version to v1.32.0
Alex-1089 Sep 17, 2025
6b39958
Merge remote-tracking branch 'origin/main' into feat/annotations
Alex-1089 Sep 17, 2025
f2130d2
Fixed linting issues
Alex-1089 Sep 17, 2025
70fdb68
Updated Changelog. Added function to merge existing components in sca…
Alex-1089 Sep 18, 2025
82c6bf0
Fixing param matchAnnotations
Alex-1089 Sep 18, 2025
42b3e60
Added Scan exit code handling
Alex-1089 Sep 18, 2025
fc7ea53
Fixed unit tests
Alex-1089 Sep 18, 2025
773bea3
Nitpick Change
Alex-1089 Sep 19, 2025
634c1df
Fixed bug where policy checks were being added to the wrong job
Alex-1089 Sep 19, 2025
92f5996
Update test-action.yml
Alex-1089 Sep 19, 2025
06ad6d8
Fixing job attachment bug
Alex-1089 Sep 19, 2025
0e7d941
Merge remote-tracking branch 'origin/feat/annotations' into feat/anno…
Alex-1089 Sep 19, 2025
7ec1031
Fixing job attachment bug
Alex-1089 Sep 19, 2025
3950c98
Fixing job attachment bug
Alex-1089 Sep 19, 2025
416101a
Fixing job attachment bug
Alex-1089 Sep 19, 2025
f2fd429
Fixing job attachment bug
Alex-1089 Sep 19, 2025
71d5368
Fixing job attachment bug
Alex-1089 Sep 19, 2025
d24b114
Fixing job attachment bug
Alex-1089 Sep 19, 2025
61c1ec0
Fixing job attachment bug
Alex-1089 Sep 19, 2025
bd653a7
Reverting changes getting firstRunId
Alex-1089 Sep 19, 2025
87e6674
Update test-action.yml
Alex-1089 Sep 19, 2025
136bffe
Fixed logic for finding file matches
Alex-1089 Sep 19, 2025
f61ad75
Merge remote-tracking branch 'origin/feat/annotations' into feat/anno…
Alex-1089 Sep 19, 2025
1df3664
changed policies.halt_on_failure to false for test action
Alex-1089 Sep 21, 2025
a709818
Fixed tests. Cleaned code
Alex-1089 Sep 21, 2025
5465efd
Linting
Alex-1089 Sep 21, 2025
b6865be
Code fixes
Alex-1089 Sep 21, 2025
accbf9b
Linting
Alex-1089 Sep 21, 2025
16bcaae
Code organisation, documentation and improved error handling
Alex-1089 Sep 21, 2025
6a9dbef
Linting
Alex-1089 Sep 21, 2025
ef9c9c7
Fixed commit comment link
Alex-1089 Sep 21, 2025
7d70dc9
Fixed file preview inside commit comments
Alex-1089 Sep 21, 2025
c472e79
Linting
Alex-1089 Sep 21, 2025
678e171
Fixed file preview in commit comment
Alex-1089 Sep 21, 2025
04d852e
Made file preview scrollable
Alex-1089 Sep 21, 2025
a3c2553
Fixed scrollable file preview
Alex-1089 Sep 21, 2025
51d5214
Fixing scrollable file preview
Alex-1089 Sep 21, 2025
e1ba78f
Fixing scrollable file preview
Alex-1089 Sep 21, 2025
070ee33
Fixing scrollable file preview
Alex-1089 Sep 21, 2025
dacad2f
Fixing scrollable file preview
Alex-1089 Sep 21, 2025
27fec6e
Fixing scrollable file preview
Alex-1089 Sep 21, 2025
8fae301
Fixing scrollable file preview
Alex-1089 Sep 22, 2025
530974f
Fixing commit comment formatting
Alex-1089 Sep 22, 2025
9ace7e0
Fixing commit comment formatting
Alex-1089 Sep 22, 2025
18fb13a
Addressing coderabbit nitpick comments
Alex-1089 Sep 23, 2025
813ef4b
Addressing coderabbit nitpick comments
Alex-1089 Sep 23, 2025
a7eca31
Review fixes
Alex-1089 Sep 24, 2025
54dcc5c
Fixed logic
Alex-1089 Sep 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/test-action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:
- '*'

permissions:
contents: read
contents: write
pull-requests: write
checks: write
actions: read
Expand All @@ -27,7 +27,9 @@ jobs:
uses: ./
with:
dependencies.enabled: false
policies: copyleft
policies: copyleft, und
policies.halt_on_failure: 'false'
api.key: ${{ secrets.SC_API_KEY }}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

🧩 Analysis chain

Invalid input id 'api.key' — dots aren’t allowed in action input names; value will likely be ignored.

GitHub Actions input IDs must start with a letter or “” and contain only alphanumerics, “-”, or “”. A dot “.” is invalid, and unless action.yml incorrectly declares the same dotted id, this won’t bind to the action’s inputs. Prefer api-key or api_key, and ensure the metadata declares it. Alternatively, pass the secret via env if the action reads an env var. (docs.github.com)

Apply one of these:

Option A — rename the input:

-           api.key: ${{ secrets.SC_API_KEY }}
+           api-key: ${{ secrets.SC_API_KEY }}

Option B — pass as environment variable (if the action reads SC_API_KEY/SCANOSS_API_KEY):

-        with:
-           dependencies.enabled: false
-           policies: copyleft, und
-           api.key: ${{ secrets.SC_API_KEY }}
+        with:
+           dependencies.enabled: false
+           policies: copyleft, und
+        env:
+          SC_API_KEY: ${{ secrets.SC_API_KEY }}

Run to verify the input is properly declared and no dotted inputs exist:

🏁 Script executed:

#!/bin/bash
# Find action metadata and list declared inputs; ensure `api-key` (or `api_key`) exists and no dots are used.
fd -t f -a 'action.y*ml' | xargs -I{} sh -c 'echo "== {} =="; rg -n "^\\s*inputs:|^\\s{2,}[A-Za-z_][A-Za-z0-9_-]*\\s*:" -n "{}" -N -C0'
# Grep any dotted input ids (should return nothing)
rg -nP '^\s{2,}[A-Za-z_].*\..*:\s*$' -S

Length of output: 18711

action.yml declares dotted input IDs (e.g. api.key) — dots are invalid; fix action metadata and workflows.

GitHub input IDs must start with a letter or _ and contain only alphanumerics, -, or _. (docs.github.com)

  • Evidence: repo action metadata (action.yml, root) declares dotted inputs including api.key, api.url, dependencies.enabled, dependencies.scope / dependencies.scope.include / dependencies.scope.exclude, licenses.copyleft.*, deptrack.apikey, etc. (see action.yml).
  • Fix (required): rename inputs in action.yml to valid IDs (e.g. api-key or api_key) and update workflows that set them (e.g. change api.key: ${{ secrets.SC_API_KEY }}api-key: ${{ secrets.SC_API_KEY }} in .github/workflows/test-action.yml).
  • Alternative: pass the secret via env and have the action read an env var (env: SC_API_KEY: ${{ secrets.SC_API_KEY }}) if you prefer not to change action metadata.
🤖 Prompt for AI Agents 
.github/workflows/test-action.yml around line 31: the workflow sets an action
input using an invalid dotted ID (api.key); rename inputs in action.yml to valid
IDs (e.g., api-key or api_key) and update this workflow to use the new name
(change api.key: ${{ secrets.SC_API_KEY }} → api-key: ${{ secrets.SC_API_KEY
}}), and then search the repo for other dotted input usages (e.g., api.url,
dependencies.* , licenses.copyleft.*, deptrack.apikey) and update those
workflows to the corresponding new valid IDs (or alternatively export the secret
via env and consume it inside the action), and ensure action.yml input names are
updated consistently to match the new IDs.



- name: Print stdout scan command
Expand Down
7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [1.2.3] - 2025-09-18
### Added
- Added annotations for file and snippet matches
- Added commit comment for each match
- Added link to auto create scanoss.json file

## [1.2.2] - 2025-09-09
### Added
- Added policies input trimming
Expand Down Expand Up @@ -125,3 +131,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
[1.2.0]: https://github.com/scanoss/gha-code-scan/compare/v1.1.0...v1.2.0
[1.2.1]: https://github.com/scanoss/gha-code-scan/compare/v1.2.0...v1.2.1
[1.2.2]: https://github.com/scanoss/gha-code-scan/compare/v1.2.1...v1.2.2
[1.2.3]: https://github.com/scanoss/gha-code-scan/compare/v1.2.2...v1.2.3
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ For example workflow runs, check out our
| licenses.copyleft.include | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.exclude | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list. | Optional | - |
| licenses.copyleft.explicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list. | Optional | - |
| runtimeContainer | Runtime URL | Optional | `ghcr.io/scanoss/scanoss-py:v1.31.5` |
| runtimeContainer | Runtime URL | Optional | `ghcr.io/scanoss/scanoss-py:v1.32.0` |
| skipSnippets | Skip the generation of snippets. (scanFiles option must be enabled) | Optional | `false` |
| scanFiles | Enable or disable file and snippet scanning | Optional | `true` |
| scanossSettings | Settings file to use for scanning. See the SCANOSS settings [documentation](https://scanoss.readthedocs.io/projects/scanoss-py/en/latest/#settings-file) | Optional | `true` |
Expand Down
73 changes: 5 additions & 68 deletions __tests__/github.utils.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
*/

import { context, getOctokit } from '@actions/github';
import * as core from '@actions/core';
import { getSHA, isPullRequest, createCommentOnPR, getFirstRunId } from '../src/utils/github.utils';

// Mock external dependencies
Expand All @@ -34,10 +33,6 @@ jest.mock('../src/app.input', () => ({

const mockOctokit = {
rest: {
actions: {
getWorkflowRun: jest.fn(),
listWorkflowRuns: jest.fn()
},
issues: {
createComment: jest.fn()
}
Expand Down Expand Up @@ -182,80 +177,22 @@ describe('GitHub Utils', () => {
});

describe('getFirstRunId', () => {
it('should return current runId for non-workflow_dispatch events', async () => {
(context.eventName as any) = 'push';
it('should always return current runId', async () => {
(context.runId as any) = 98765;
(context.eventName as any) = 'push'; // Not workflow_dispatch

const result = await getFirstRunId();

expect(result).toBe(98765);
expect(mockOctokit.rest.actions.getWorkflowRun).not.toHaveBeenCalled();
});

it('should find first run for workflow_dispatch events', async () => {
(context.eventName as any) = 'workflow_dispatch';
(context.runId as any) = 12345;
(context.repo as any) = { owner: 'test-owner', repo: 'test-repo' };
(context.sha as any) = 'test-sha-123';

// Mock current workflow run
mockOctokit.rest.actions.getWorkflowRun.mockResolvedValue({
data: {
workflow_id: 'test-workflow',
head_sha: 'test-sha-123'
}
});

// Mock workflow runs list
mockOctokit.rest.actions.listWorkflowRuns.mockResolvedValue({
data: {
workflow_runs: [
{ id: 11111, created_at: '2023-01-03T10:00:00Z', event: 'push', head_sha: 'test-sha-123' },
{ id: 22222, created_at: '2023-01-02T10:00:00Z', event: 'push', head_sha: 'test-sha-123' },
{ id: 33333, created_at: '2023-01-01T10:00:00Z', event: 'push', head_sha: 'test-sha-123' } // Oldest
]
}
});

const infoSpy = jest.spyOn(core, 'info').mockImplementation();

const result = await getFirstRunId();

expect(result).toBe(33333); // Should return the oldest run
expect(infoSpy).toHaveBeenCalledWith('First Run ID found: 33333');

infoSpy.mockRestore();
});

it('should return current runId if no first run is found', async () => {
(context.eventName as any) = 'workflow_dispatch';
it('should handle different run IDs', async () => {
(context.runId as any) = 12345;

mockOctokit.rest.actions.getWorkflowRun.mockResolvedValue({
data: {
workflow_id: 'test-workflow',
head_sha: 'test-sha-123'
}
});

mockOctokit.rest.actions.listWorkflowRuns.mockResolvedValue({
data: {
workflow_runs: []
}
});
(context.eventName as any) = 'pull_request'; // Not workflow_dispatch

const result = await getFirstRunId();

expect(result).toBe(12345); // Should return current runId as fallback
});

it('should throw API errors (no error handling in implementation)', async () => {
(context.eventName as any) = 'workflow_dispatch';
(context.runId as any) = 12345;

mockOctokit.rest.actions.getWorkflowRun.mockRejectedValue(new Error('API Error'));

await expect(getFirstRunId()).rejects.toThrow('API Error');
expect(result).toBe(12345);
});
});
});
3 changes: 2 additions & 1 deletion __tests__/undeclared-policy-check.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,8 @@ jest.mock('@actions/github', () => ({
context: {
repo: { owner: 'mock-owner', repo: 'mock-repo' },
serverUrl: 'github',
runId: 12345678
runId: 12345678,
ref: 'refs/heads/test-branch'
// Add other properties as needed
},
getOctokit: jest.fn().mockReturnValue({
Expand Down
6 changes: 5 additions & 1 deletion action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ inputs:
required: false
runtimeContainer:
description: 'Specify runtime container to perform the scan.'
default: 'ghcr.io/scanoss/scanoss-py:v1.31.5'
default: 'ghcr.io/scanoss/scanoss-py:v1.32.0'
required: false
skipSnippets:
description: 'Skip the generation of snippets.'
Expand Down Expand Up @@ -100,6 +100,10 @@ inputs:
deptrack.projectversion:
description: 'Dependency Track project version'
required: false
matchAnnotations:
description: 'Enable or disable match annotations'
required: false
default: 'true'

outputs:
result-filepath:
Expand Down
Loading
Loading