Skip to content

Commit 75e56ba

Browse files
ThomasAFinkThomasAFink
committed
fix(ZMSKVR): fail Psalm CI only when SARIF is missing, not on findings
Psalm exits non-zero when it reports issues but still writes SARIF for CodeQL upload. Treat missing SARIF as the job failure condition instead.
1 parent cce4bab commit 75e56ba

1 file changed

Lines changed: 22 additions & 12 deletions

File tree

.github/workflows/psalm.yml

Lines changed: 22 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -78,12 +78,19 @@ jobs:
7878

7979
- name: Run Psalm Security Scan
8080
id: psalm
81-
continue-on-error: true
8281
working-directory: ${{ matrix.project }}
8382
run: |
83+
set +e
8484
vendor/bin/psalm \
8585
--no-progress \
8686
--report=../results-${{ matrix.project }}.sarif
87+
psalm_exit=$?
88+
set -e
89+
if [ ! -f "../results-${{ matrix.project }}.sarif" ]; then
90+
echo "Psalm did not produce SARIF for ${{ matrix.project }} (exit code: ${psalm_exit})."
91+
exit 1
92+
fi
93+
echo "Psalm finished for ${{ matrix.project }} with exit code ${psalm_exit}; SARIF written."
8794
8895
- name: Normalize SARIF paths to repository root
8996
env:
@@ -130,12 +137,10 @@ jobs:
130137
sarif_file: results-${{ matrix.project }}.sarif
131138
checkout_path: ${{ matrix.project }}
132139

133-
- name: Fail job if Psalm run or SARIF generation failed
134-
if: steps.psalm.outcome == 'failure' || steps.sarif.outputs.exists != 'true'
140+
- name: Fail job if SARIF generation failed
141+
if: steps.sarif.outputs.exists != 'true'
135142
run: |
136-
if [ "${{ steps.sarif.outputs.exists }}" != "true" ]; then
137-
echo "Missing SARIF output for ${{ matrix.project }} (results-${{ matrix.project }}.sarif)."
138-
fi
143+
echo "Missing SARIF output for ${{ matrix.project }} (results-${{ matrix.project }}.sarif)."
139144
exit 1
140145
141146
psalm-dead-code:
@@ -173,12 +178,19 @@ jobs:
173178

174179
- name: Run Psalm dead-code scan (monorepo)
175180
id: psalm_dead_code
176-
continue-on-error: true
177181
run: |
182+
set +e
178183
zmsapi/vendor/bin/psalm \
179184
-c psalm.monorepo.xml \
180185
--no-progress \
181186
--report=results-monorepo.sarif
187+
psalm_exit=$?
188+
set -e
189+
if [ ! -f "results-monorepo.sarif" ]; then
190+
echo "Psalm did not produce monorepo SARIF (exit code: ${psalm_exit})."
191+
exit 1
192+
fi
193+
echo "Psalm monorepo scan finished with exit code ${psalm_exit}; SARIF written."
182194
183195
- name: Check monorepo SARIF file exists
184196
id: sarif_monorepo
@@ -195,10 +207,8 @@ jobs:
195207
with:
196208
sarif_file: results-monorepo.sarif
197209

198-
- name: Fail job if dead-code scan or SARIF generation failed
199-
if: steps.psalm_dead_code.outcome == 'failure' || steps.sarif_monorepo.outputs.exists != 'true'
210+
- name: Fail job if monorepo SARIF generation failed
211+
if: steps.sarif_monorepo.outputs.exists != 'true'
200212
run: |
201-
if [ "${{ steps.sarif_monorepo.outputs.exists }}" != "true" ]; then
202-
echo "Missing monorepo SARIF output (results-monorepo.sarif)."
203-
fi
213+
echo "Missing monorepo SARIF output (results-monorepo.sarif)."
204214
exit 1

0 commit comments

Comments
 (0)