Skip to content

Commit a5b3e83

Browse files
committed
fix: emit GHA error annotations for unknown govulncheck vulnerability IDs
Add ::error:: annotation output for each unfixed vulnerability ID so the ID is visible in the check run annotations API without needing log access. Fixes the diagnosis gap where IDs were only in the raw job log. https://claude.ai/code/session_018ji3prTSK6AKEFqRfZQbBQ
1 parent f152d0b commit a5b3e83

1 file changed

Lines changed: 6 additions & 4 deletions

File tree

.github/workflows/engine-ci.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -66,13 +66,15 @@ jobs:
6666
# Fixed in: N/A — no upstream fix available. Remove exclusions when a patched release ships.
6767
OUTPUT=$(govulncheck ./... 2>&1 || true)
6868
echo "$OUTPUT"
69-
# Extract and log all found IDs so failures are easy to diagnose.
69+
# Emit each actionable vulnerability ID as a GHA error annotation for visibility.
7070
ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
71-
echo "--- govulncheck: all vulnerability IDs found: ${ALL_IDS:-none} ---"
71+
echo "govulncheck IDs found: ${ALL_IDS:-none}"
72+
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883)$' || true)
73+
for ID in $ACTIONABLE_IDS; do
74+
echo "::error title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"
75+
done
7276
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883' || true)
7377
if [ -n "$ACTIONABLE" ]; then
74-
echo "FAIL: unfixed actionable vulnerabilities found:"
75-
echo "$ACTIONABLE"
7678
exit 1
7779
fi
7880

0 commit comments

Comments
 (0)