Expose output-file as an output when advanced-security: true (#87)

unlobito · lachlankidson · woodruffw · web-flow · commit fb9497493b59 · 2026-02-01T01:05:49.000+01:00
Co-authored-by: Lachlan Kidson &lt;lachlan.kidson@skyscanner.net&gt;
Co-authored-by: William Woodruff &lt;william@yossarian.net&gt;
diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
@@ -207,6 +207,28 @@ jobs:
           inputs: woodruffw-experiments/empty
           fail-on-no-inputs: false
 
+  selftest-output-file-output-is-present-when-advanced-security:
+    name: "TEST: 'outputs.output-file' is present when `advanced-security: true`"
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: ./
+        id: zizmor
+        with:
+          advanced-security: true
+
+      - name: Test output-file
+        run: |
+          jq < "${OUTPUT_FILE}"
+        env:
+          OUTPUT_FILE: ${{ steps.zizmor.outputs.output-file }}
+
   all-selftests-pass:
     if: always()
 
@@ -221,6 +243,7 @@ jobs:
       - selftest-annotations-advanced-security-exclusive-xfail
       - selftest-fail-on-no-inputs-xfail
       - selftest-fail-on-no-inputs-disabled
+      - selftest-output-file-output-is-present-when-advanced-security
 
     runs-on: ubuntu-latest
 
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ Run [`zizmor`] from GitHub Actions!
   - [`annotations`](#annotations)
   - [`color`](#color)
   - [`config`](#config)
+- [Outputs](#outputs)
 - [Permissions](#permissions)
 - [Troubleshooting](#troubleshooting)
 
@@ -276,6 +277,14 @@ succeed even if no inputs were found.
 > on earlier versions of `zizmor`, meaning that the action will always fail
 > if no inputs are found on earlier versions.
 
+## Outputs
+
+### `output-file`
+
+When `advanced-security: true`, the `output-file` output will contain a filepath
+for `zizmor`'s static analysis results in the SARIF format.
+
+
 ## Permissions
 
 `zizmor-action` requires different permissions depending on how you use it.
diff --git a/action.yml b/action.yml
@@ -5,6 +5,11 @@ branding:
   icon: "shield"
   color: "blue"
 
+outputs:
+  output-file:
+    description: Filepath to static analysis results in SARIF format"
+    value: ${{ steps.run-zizmor.outputs.sarif-file }}
+
 inputs:
   inputs:
     description: |
