fix(ci): Hypatia reusable gate uploads findings instead of failing opaquely#424
Merged
Merged
Conversation
…aquely The "Run Hypatia scan" step runs `hypatia-cli.sh scan` under the default `bash -eo pipefail`. hypatia-cli exits 1 whenever findings exist (its documented behaviour), so the step aborted at the scan line BEFORE the jq counts, $GITHUB_OUTPUT, and the step summary ran — and because the "Upload findings artifacts" step had no `if:`, it was skipped on that failure. Net effect: the gate went red with zero visible findings. Two minimal changes restore visibility: - scan: add `--exit-zero` (the CLI flag built for this) so the step succeeds and the severity counts/outputs/summary populate. Gating is on the counts, not the scanner exit code (the existing "Check for critical issues" step already warns-don't-fail / fix-forward). - upload: `if: always()` so findings upload even when an earlier step (build, scan) fails. No behaviour change for clean repos; failing repos now surface their findings as an artifact + step summary instead of an opaque red X. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Make the Hypatia reusable gate visible, not opaque
The
Run Hypatia scanstep runshypatia-cli.sh scanunder the defaultbash -eo pipefail.hypatia-cliexits 1 whenever findings exist (documented behaviour), so the step aborts at the scan line before thejqcounts /$GITHUB_OUTPUT/ step-summary run — and becauseUpload findings artifactshad noif:, it's skipped on that failure. Result: a red ❌ with zero visible findings.Changes (minimal, licence-neutral)
--exit-zero(the CLI flag built exactly for "CI gates on the counts"), so the step succeeds and the severity counts / outputs / step-summary populate. Gating is already done on the counts (theCheck for critical issuesstep warns-don't-fail / fix-forward), not on the scanner's exit code.if: always()so findings upload even when an earlier step (build / scan) fails.No behaviour change for clean repos; failing repos now surface findings as an artifact + step summary instead of an opaque red X.
🤖 Generated with Claude Code