Skip to content

cli: add a "GitHub" output format#634

Merged
woodruffw merged 21 commits intomainfrom
ww/github-workflow-commands
Apr 7, 2025
Merged

cli: add a "GitHub" output format#634
woodruffw merged 21 commits intomainfrom
ww/github-workflow-commands

Conversation

@woodruffw
Copy link
Copy Markdown
Member

@woodruffw woodruffw commented Mar 27, 2025

Closes #633.

@woodruffw
cli: add a "GitHub" output format
91417b7 
Closes #633.

Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw self-assigned this Mar 27, 2025
@woodruffw
try using SARIF path
6b31ef6 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
fix lines
3c27e6f 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
fmt
8dbeada 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
add --no-exit-codes
8d1003d 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
bump help snippet
e32a2b7 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
bump snippet
ff76294 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
integration test for github output
c490da7 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw marked this pull request as ready for review March 27, 2025 09:53
@woodruffw
Copy link
Copy Markdown
Member Author

woodruffw commented Mar 27, 2025

This works, but comes with some significant limitations that make me hesitant to merge it: GitHub Actions currently limits check annotations to 10 per step, or 50 per job (if multiple steps are producing annotations). As a result, any zizmor run that produces a nontrivial number of annotations will have some annotations dropped, probably in a first-come-first serve basis.

In practice, I think this makes check annotations unworkable/unusable in the general case, since users have to dive into the action logs to see the findings that aren't given a check annotation due to the limit.

More context here: https://github.com/orgs/community/discussions/26680, https://github.com/orgs/community/discussions/68471

@woodruffw woodruffw mentioned this pull request Mar 27, 2025
Closed
2 tasks
@woodruffw
Copy link
Copy Markdown
Member Author

woodruffw commented Apr 6, 2025

I'm not fully sure why, but GitHub's annotations also seem to be slightly buggy with spans that end at the end of input:

The above should have three annotations (one at the very end of the file), but that last one doesn't render.

woodruffw added 5 commits April 7, 2025 17:02
@woodruffw
try something else
5cfd630 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
Merge branch 'main' into ww/github-workflow-commands
c457d53
@woodruffw
fixup snapshot
d486b94 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
one last hack
4d90af4 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
add primary annotation to message
26b91f3 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw
Copy link
Copy Markdown
Member Author

woodruffw commented Apr 7, 2025

This now works as expected:

Screenshot 2025-04-07 at 5 27 04 PM

The last thing to do here is document the limitations.

@woodruffw woodruffw merged commit 4d5c79a into main Apr 7, 2025
8 checks passed
@woodruffw woodruffw deleted the ww/github-workflow-commands branch April 7, 2025 23:51
aldur pushed a commit to aldur/zizmor that referenced this pull request May 5, 2025
@woodruffw @aldur
cli: add a "GitHub" output format (zizmorcore#634)
69d2edb 
* cli: add a "GitHub" output format

Closes zizmorcore#633.

Signed-off-by: William Woodruff <william@yossarian.net>

* try using SARIF path

Signed-off-by: William Woodruff <william@yossarian.net>

* fix lines

Signed-off-by: William Woodruff <william@yossarian.net>

* fmt

Signed-off-by: William Woodruff <william@yossarian.net>

* add --no-exit-codes

Signed-off-by: William Woodruff <william@yossarian.net>

* bump help snippet

Signed-off-by: William Woodruff <william@yossarian.net>

* bump snippet

Signed-off-by: William Woodruff <william@yossarian.net>

* integration test for github output

Signed-off-by: William Woodruff <william@yossarian.net>

* github: output tweaks

* update snapshot

* test-output: test GitHub output on just one file

* remove columns

* bump snapshot

* try something else

Signed-off-by: William Woodruff <william@yossarian.net>

* fixup snapshot

Signed-off-by: William Woodruff <william@yossarian.net>

* one last hack

Signed-off-by: William Woodruff <william@yossarian.net>

* add primary annotation to message

Signed-off-by: William Woodruff <william@yossarian.net>

* usage: document --format=github, add integration docs

Signed-off-by: William Woodruff <william@yossarian.net>

* docs: update release notes

---------

Signed-off-by: William Woodruff <william@yossarian.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@woodruffw woodruffw

Labels

blocked test-github-presentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: format output with GitHub Actions workflow commands

1 participant

@woodruffw