Skip to content

feat(sarif): add sarif input + upload-sarif step#1

Merged
skil-lock merged 1 commit into
mainfrom
feat/sarif
May 21, 2026
Merged

feat(sarif): add sarif input + upload-sarif step#1
skil-lock merged 1 commit into
mainfrom
feat/sarif

Conversation

@skil-lock

Copy link
Copy Markdown
Contributor

Summary

  • New optional sarif input on the composite action (default false). When true, runs skil-lock ci --format sarif to ${RUNNER_TEMP}/skil-lock.sarif and uploads via github/codeql-action/upload-sarif@v4 with category: skil-lock.
  • README + MARKETPLACE.md document the new input and the required security-events: write permission.
  • All install snippets bumped to v0.1.1 (binary + Action).

Pairs with skills-lock/skil-lock#9 (already merged + tagged v0.1.1).

Test plan

  • yaml-lint workflow validates action.yml
  • composite-smoke testdata still pins v0.1.0 so this PR's CI exercises the unchanged happy path
  • After this merges + the Action repo gets its own v0.1.1 tag, switch testdata to v0.1.1 + add a SARIF smoke step (follow-up commit)
  • Real PR with sarif: true to verify the upload step posts to Code Scanning

🤖 Generated with Claude Code

- action.yml: new optional `sarif` input (default false). When true: run
  `skil-lock ci --format sarif` to ${RUNNER_TEMP}/skil-lock.sarif, then
  upload via github/codeql-action/upload-sarif@v4 (category: skil-lock).
- README + MARKETPLACE: document the new input, the security-events:write
  permission, and the install snippets bump to v0.1.1.

Pairs with skills-lock/skil-lock PR #9 (v0.1.1 binary).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@skil-lock skil-lock merged commit 1e9cf3a into main May 21, 2026
5 checks passed
@skil-lock skil-lock deleted the feat/sarif branch May 21, 2026 07:37
skil-lock added a commit that referenced this pull request May 22, 2026
…nts (#2)

`gh api -f body=@$BODY` was being interpreted as a string literal, not
a curl-style file reference — gh CLI does not support `@file` in -f
arguments. As a result, every live PR comment posted by the Action since
v0.1.0 contained the verbatim text `@/home/runner/work/_temp/skil-lock-pr-comment.md`
instead of the capability-delta markdown.

The bug was latent because the only CI exercise of this step
(`composite-smoke`) runs on `push`, so the `if: github.event_name ==
'pull_request'` guard skipped it — the path was never executed until
the live SARIF verification PR on
`skills-lock/example-claude-code-skills#1` (2026-05-22).

Fix: round-trip the file contents through `jq -Rs '{body: .}'` to
produce a safe JSON payload, then pipe it to `gh api --input -`.
`jq -Rs` handles arbitrary text (newlines, quotes, backticks, unicode)
without shell-escaping pitfalls. `jq` is preinstalled on
`ubuntu-latest` and `macos-latest` runners, which are the only
platforms the composite supports.

Verified against PR #1 of example-claude-code-skills on the fix branch
after this commit lands.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant