Add GitHub Actions native output (annotations + job summary) + reusable action.yml#222
Open
seonghobae wants to merge 2 commits into
Open
Add GitHub Actions native output (annotations + job summary) + reusable action.yml#222seonghobae wants to merge 2 commits into
seonghobae wants to merge 2 commits into
Conversation
The scanner already ran in GitHub Actions via `monitor` (SARIF upload only). This makes it correspond to GitHub-native surfaces developers actually watch: - appguardrail_core/github_actions.py: inside Actions (GITHUB_ACTIONS=true) emit `::error`/`::warning` workflow annotations (deploy-blocking -> error) so findings show inline on the PR diff, and append a severity-breakdown job summary to $GITHUB_STEP_SUMMARY. GitHub-spec escaping (%0A/%2C/%3A). stdlib only. - `scan --github` forces the same output locally; auto-on inside Actions (no flag). The existing monitor workflow gains inline annotations with zero changes. - action.yml (repo root): reusable composite action — `uses: .../appguardrail@v1` runs scan + SARIF upload + deploy gate. inputs path/sarif/upload-sarif/ fail-on-blocking/version; outputs sarif/exit-code. - Tests: tests/test_github_actions.py (levels, escaping, custom blocking fn, summary markdown, file write, bad-path resilience) + module self-check. - Verified: full suite 228 passed; e2e scan in a forced Actions env emits annotations + writes the step summary. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3
…ative) (#226) Inline annotations show findings on the diff; this adds the one-place roll-up reviewers expect — a single sticky PR comment that updates in place per push. - appguardrail_core/github_comment.py: reads a findings JSON (`scan --findings-json`), builds a markdown summary (reuses github_actions.step_summary_md), and upserts a comment marked with a hidden anchor via the GitHub REST API (urllib + GITHUB_TOKEN). Resolves the PR number from the event payload or refs/pull/N. Any API failure is swallowed so it never fails the security gate. stdlib only. Run: `python -m appguardrail_core.github_comment <findings.json>`. - action.yml: scan now also writes findings JSON; a `Post PR comment` step runs on pull_request events (new input `pr-comment`, default true; needs pull-requests: write). - Tests: tests/test_github_comment.py (marker, PR-number resolution, skip paths, create-then-update upsert, findings-json loading) + module self-check. - Verified: full suite 235 passed. Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
| return int(pr["number"]) | ||
| if event.get("number"): | ||
| return int(event["number"]) | ||
| except (OSError, ValueError, KeyError): |
| @@ -0,0 +1,66 @@ | |||
| """Tests for GitHub Actions native output (appguardrail_core.github_actions).""" | |||
|
|
|||
| import os | |||
| calls = [] | ||
| state = {"comments": []} | ||
|
|
||
| def fake_request(method, url, token, body=None): |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AppGuardrail already ran in GitHub Actions via
appguardrail monitor, but only uploaded SARIF. This makes it correspond to the GitHub-native surfaces developers actually watch, and ships a one-line reusable action.GITHUB_ACTIONS=true) the scanner emits::error(deploy-blocking) /::warningworkflow commands on the exact file/line, so findings appear on the PR diff. GitHub-spec escaping (%0A/%2C/%3A).$GITHUB_STEP_SUMMARY.scan --githubforces it locally. The existingmonitorworkflow gains inline annotations with zero changes.action.yml(repo root) — reusable composite action:uses: ContextualWisdomLab/appguardrail@v1→ scan + SARIF upload + deploy gate. Inputspath/sarif/upload-sarif/fail-on-blocking/version; outputssarif/exit-code.Stdlib only, no new dependency.
Test plan
pytest— 228 passed, incl.tests/test_github_actions.py(annotation levels, GitHub escaping, custom blocking fn, summary markdown, summary-file write, unwritable-path resilience) + module self-check.GITHUB_ACTIONS=true appguardrail scan <dir>emits::error/::warningand writes the step summary;--githubreproduces it locally.🤖 Generated with Claude Code