Fix OSSAR workflow: replace github/ossar-action with Microsoft Security DevOps CLI#81
Fix OSSAR workflow: replace github/ossar-action with Microsoft Security DevOps CLI#81Copilot wants to merge 4 commits into
Conversation
… fix YAML structure Co-authored-by: JMG3000 <105582814+JMG3000@users.noreply.github.com> Agent-Logs-Url: https://github.com/codingUnited/MokseWebsite/sessions/91c019e6-0ff0-40be-8a28-11715c98d4fb
There was a problem hiding this comment.
Pull request overview
This PR fixes the repository’s code scanning workflow by replacing the deprecated/incorrect OSSAR action usage with the Microsoft Security DevOps (MSDO) action and correcting the workflow structure so it can run.
Changes:
- Replace
github/ossar-action@v1withmicrosoft/security-devops-action@v1. - Fix malformed workflow YAML where
stepswere previously nested underenv:. - Update workflow/job naming and SARIF upload to reference the MSDO step output.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Run Microsoft Security DevOps CLI | ||
| - name: Run Microsoft Security DevOps | ||
| uses: microsoft/security-devops-action@v1 | ||
| id: msdo | ||
|
|
||
| # Upload results to the Security tab | ||
| - name: Upload results to Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: ${{ steps.msdo.outputs.sarifFile }} |
There was a problem hiding this comment.
The steps sequence is not indented under the steps: key (the - name: lines are at the same indentation level as steps:), which makes this workflow invalid YAML and will prevent the job from running. Indent all step entries (and their nested keys) so they are children of steps:.
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Run Microsoft Security DevOps CLI | |
| - name: Run Microsoft Security DevOps | |
| uses: microsoft/security-devops-action@v1 | |
| id: msdo | |
| # Upload results to the Security tab | |
| - name: Upload results to Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.msdo.outputs.sarifFile }} | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Run Microsoft Security DevOps CLI | |
| - name: Run Microsoft Security DevOps | |
| uses: microsoft/security-devops-action@v1 | |
| id: msdo | |
| # Upload results to the Security tab | |
| - name: Upload results to Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.msdo.outputs.sarifFile }} |
Co-authored-by: JMG3000 <105582814+JMG3000@users.noreply.github.com> Agent-Logs-Url: https://github.com/codingUnited/MokseWebsite/sessions/eb4299a0-5562-4481-948a-5f1a3313627a
|
Yes, this PR is synced with |
|
@copilot analyze the two conflicts in the changed files and tell me which one is the most up to date after the latest merge. |
Here's the analysis of the two conflicting versions of Version A — Base branch (
Version B — This PR branch (
Which is most up to date? The base branch version ( |
|
@copilot I want to use both the OSSAR and MS security DevOps. Open a new pull request to repair the toolchain upgrade by amending the code for OSSAR in the ossar.yml and adding a the code for the MS security DevOps tool. I want to review all change before preceeding. |
|
@JMG3000 The model You can try again without specifying a model (just If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: |
5 similar comments
|
@JMG3000 The model You can try again without specifying a model (just If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: |
|
@JMG3000 The model You can try again without specifying a model (just If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: |
|
@JMG3000 The model You can try again without specifying a model (just If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: |
|
@JMG3000 The model You can try again without specifying a model (just If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: |
|
@JMG3000 The model You can try again without specifying a model (just If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| env: | ||
| # Opt-in early to Node.js 24 for all JavaScript-based actions | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | ||
|
|
||
| jobs: | ||
| MSDO-Scan: |
There was a problem hiding this comment.
This adds a second top-level env:/jobs: block even though the workflow already defines jobs: above. YAML duplicate keys will cause the earlier jobs: (including OSSAR-Scan) to be ignored or make the workflow invalid depending on the parser. Merge into a single top-level jobs: and keep env: defined only once (either at root or within the job).
| # Run Microsoft Security DevOps CLI | ||
| - name: Run Microsoft Security DevOps | ||
| uses: microsoft/security-devops-action@v1 | ||
| id: msdo |
There was a problem hiding this comment.
This new step sets id: msdo, but there is already another step later in the same job with id: msdo. Step IDs must be unique within a job; otherwise the workflow fails validation and ${{ steps.msdo.outputs.* }} becomes ambiguous. Remove one of the duplicate steps or give one a different id.
| id: msdo | |
| id: msdo_initial |
| # Upload results to the Security tab | ||
| - name: Upload results to Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 |
There was a problem hiding this comment.
github/codeql-action/upload-sarif@v3 requires with: sarif_file: (or sarif_file via inputs). This step has no with block, so it will fail at runtime. Either add the sarif_file input (likely from steps.msdo.outputs.sarifFile) or remove this redundant upload step.
| # Upload results to the Security tab | |
| - name: Upload results to Security tab | |
| uses: github/codeql-action/upload-sarif@v3 |
| uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3 | ||
| with: | ||
| sarif_file: ${{ steps.ossar.outputs.sarifFile }} | ||
| sarif_file: ${{ steps.msdo.outputs.sarifFile }} |
There was a problem hiding this comment.
This step now uploads ${{ steps.msdo.outputs.sarifFile }} but (1) there's already an "Upload MSDO results" step above that uploads the same output, and (2) unlike that step, this one has no if: guard. If sarifFile is empty/undefined, this upload will likely fail the job. Remove this duplicate upload step or restore it to uploading OSSAR output and add an appropriate if: condition.
| sarif_file: ${{ steps.msdo.outputs.sarifFile }} | |
| sarif_file: ${{ steps.ossar.outputs.sarifFile }} | |
| if: steps.ossar.outputs.sarifFile |
| # This workflow integrates the Microsoft Security DevOps CLI with GitHub code scanning. | ||
| # For documentation, visit https://aka.ms/msdo-github | ||
| name: Microsoft Security DevOps |
There was a problem hiding this comment.
The PR description says OSSAR was replaced, but this workflow file still contains an OSSAR-Scan job and later steps that run github/ossar-action. If the intent is to fully migrate to Microsoft Security DevOps, remove the remaining OSSAR job/steps; if both are intended, update the description and naming to reflect that.
ReviewAll changes have been reviewed and rejected based on the need for a re-assessment. Status:Denied |
The workflow claimed to integrate the Microsoft Security DevOps CLI but only ran
github/ossar-action. A prior commit also introduced malformed YAML that placed step definitions inside theenv:block, rendering the workflow invalid.Changes
github/ossar-action@v1withmicrosoft/security-devops-action@v1— aligns implementation with the stated intentenv:instead of underjobs.<job>.steps:OSSAR→Microsoft Security DevOps) and job name (OSSAR-Scan→MSDO-Scan) for consistencysteps.ossar.outputs.sarifFile→steps.msdo.outputs.sarifFile⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.