ci: update ShieldCI security scan workflow#7
ci: update ShieldCI security scan workflow#7Zenith1415 wants to merge 6 commits intoAkshat-Raj:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the ShieldCI GitHub Actions workflow to support additional trigger modes and simplify some step logic for running the self-hosted ShieldCI engine and reporting results.
Changes:
- Add
pushandworkflow_dispatchtriggers alongsidepull_request. - Simplify engine checks/copy steps and inline duration calculation output.
- Minor refactors to result-push invocation and PR-comment script formatting.
Comments suppressed due to low confidence (1)
.github/workflows/shieldci.yml:70
- This step is gated with
if: always()but the workflow now runs onpush/workflow_dispatchtoo. On those eventscontext.issue.numberis undefined, soissues.createCommentwill throw and can fail the workflow. Gate this step to PR events (or add a guard in the script to no-op when there is no PR issue number).
- name: Post scan summary as PR comment
if: always()
uses: actions/github-script@v7
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| push: | ||
| branches: [main, master] | ||
| pull_request: | ||
| branches: [main, master] | ||
| workflow_dispatch: |
There was a problem hiding this comment.
The workflow now runs on push and workflow_dispatch, but later steps assume a PR context (e.g., github.head_ref, github.event.pull_request.*, and posting a PR comment). On non-PR runs this will produce empty/incorrect metadata and the PR comment step will fail because there’s no context.issue.number. Update the metadata collection and add event-specific conditionals (e.g., only comment on PRs; use github.ref_name/github.sha for push/dispatch).
.github/workflows/shieldci.yml
Outdated
| SHIELDCI_RESULTS_FILE: $HOME/Desktop/ShieldCI/tests/shield_results.json | ||
| run: python3 "$HOME/Desktop/ShieldCI/push_results.py" |
There was a problem hiding this comment.
SHIELDCI_RESULTS_FILE: $HOME/... in an env: block won’t be shell-expanded, so the Python script will receive the literal string $HOME/Desktop/... (likely causing file-not-found). Set this using a GitHub expression (if available) or compute/export it within the run: shell using $HOME so it expands correctly.
| SHIELDCI_RESULTS_FILE: $HOME/Desktop/ShieldCI/tests/shield_results.json | |
| run: python3 "$HOME/Desktop/ShieldCI/push_results.py" | |
| run: | | |
| export SHIELDCI_RESULTS_FILE="$HOME/Desktop/ShieldCI/tests/shield_results.json" | |
| python3 "$HOME/Desktop/ShieldCI/push_results.py" |
.github/workflows/shieldci.yml
Outdated
| @@ -65,29 +62,24 @@ | |||
| SHIELDCI_COMMIT_MSG: ${{ steps.meta.outputs.commit_msg }} | |||
| SHIELDCI_DURATION: ${{ steps.scan.outputs.duration }} | |||
| SHIELDCI_TRIGGERED_BY: PR | |||
There was a problem hiding this comment.
SHIELDCI_TRIGGERED_BY is hardcoded to PR, but the workflow now runs on push and workflow_dispatch as well. Consider setting this based on github.event_name so dashboard data isn’t misclassified.
Cleaning up log creation
No description provided.