Skip to content

Commit 5aff8ef

Browse files
woodruffwwoodruffw
authored
Add fail-on-no-inputs option (#67)
1 parent 4d497b9 commit 5aff8ef

3 files changed

Lines changed: 36 additions & 1 deletion

File tree

README.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -263,6 +263,19 @@ See the [Configuration - Discovery] documentation for how explicit configuration
263263

264264
[Configuration - Discovery]: https://docs.zizmor.sh/configuration/#discovery
265265

266+
### `fail-on-no-inputs`
267+
268+
*Default*: `true`
269+
270+
`fail-on-no-inputs` controls whether the action fails if no inputs
271+
were collected by `zizmor`. If set to `false`, the action will
272+
succeed even if no inputs were found.
273+
274+
> [!IMPORTANT]
275+
> This input only works with `zizmor v1.21.0` and later. It has no effect
276+
> on earlier versions of `zizmor`, meaning that the action will always fail
277+
> if no inputs are found on earlier versions.
278+
266279
## Permissions
267280

268281
`zizmor-action` requires different permissions depending on how you use it.

action.sh

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
# action.sh: run zizmor via Docker
44

5-
set -euo pipefail
5+
set -eu
66

77
dbg() {
88
echo "::debug::${*}"
@@ -106,3 +106,13 @@ docker run \
106106
-- \
107107
${GHA_ZIZMOR_INPUTS} \
108108
| tee "${output}"
109+
110+
exitcode="${PIPESTATUS[0]}"
111+
dbg "zizmor exited with code ${exitcode}"
112+
113+
if [[ "${exitcode}" -eq 3 ]]; then
114+
warn "No inputs were collected by zizmor"
115+
[[ "${GHA_ZIZMOR_FAIL_ON_NO_INPUTS}" = "false" ]] && exit 0
116+
fi
117+
118+
exit "${exitcode}"

action.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,18 @@ inputs:
7373
config:
7474
description: Path to a custom zizmor configuration file Path (e.g., zizmor.yml).
7575
required: false
76+
fail-on-no-inputs:
77+
description: |
78+
Whether the action should fail if no inputs are collected by zizmor.
79+
80+
By default, zizmor will fail if it couldn't collect any inputs to audit.
81+
Setting this option to `false` will make the action succeed in such cases,
82+
with a warning message instead.
7683
84+
This input only works with zizmor v1.21.0 and later. Earlier versions
85+
will always fail on no inputs.
86+
required: false
87+
default: "true"
7788

7889
runs:
7990
using: composite
@@ -94,6 +105,7 @@ runs:
94105
GHA_ZIZMOR_COLOR: ${{ inputs.color }}
95106
GHA_ZIZMOR_ANNOTATIONS: ${{ inputs.annotations }}
96107
GHA_ZIZMOR_CONFIG: ${{ inputs.config }}
108+
GHA_ZIZMOR_FAIL_ON_NO_INPUTS: ${{ inputs.fail-on-no-inputs }}
97109
shell: bash
98110

99111
- name: Upload SARIF file to GitHub Advanced Security

0 commit comments

Comments
 (0)