-
Notifications
You must be signed in to change notification settings - Fork 0
ci: finish PR verification hardening #472
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+62
−28
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
Repository: BigSimmo/Database
Length of output: 2298
🌐 Web query:
GitHub Actions job-level continue-on-error failed step checkout container initialization workflow passes without running later steps💡 Result:
In GitHub Actions, the
continue-on-error: trueattribute is designed to prevent a job from failing when a specific step fails, allowing subsequent steps in that job to execute [1][2]. If your workflow appears to stop after a step withcontinue-on-error: truefails, it is likely due to one of the following reasons: 1. Step Outcome vs. Conclusion: Whencontinue-on-erroris set totrue, the step'soutcomewill reflect the actual failure (e.g., 'failure'), but the step'sconclusionwill be 'success' because the error was suppressed [3][4]. If you have subsequent steps that use conditional logic (e.g.,if: failure()), they will not run because GitHub Actions evaluates them based on the step'sconclusion[3][4]. To detect the failure in later steps, you should check theoutcomeproperty instead:if: steps.<step_id>.outcome == 'failure'[2][4]. 2. Container Initialization Issues: If the failure occurs during "container initialization" (e.g., pulling an image, mounting volumes, or setting up the container environment), it may represent a platform-level or infrastructure error that occurs outside the scope of individual step execution. In some cases, if the runner itself cannot initialize the environment for subsequent steps, the job may terminate despite thecontinue-on-errorflag [5]. 3. Nested Action Failure:continue-on-errorgenerally works at the immediate step level [5]. If the failure occurs deep within a nested composite action or a sub-action that itself calls other actions, thecontinue-on-errorflag on the outer step may not successfully mask failures occurring in certain internal processes (such as post-actions or deep-level node scripts) [5]. To troubleshoot, inspect the logs for any error messages occurring after the failed step, as these often indicate if the runner aborted the job due to infrastructure constraints rather than a simple step failure [5].Citations:
continue-on-errorin an action doesn't suppress an error from a node action called by an action it calls actions/runner#3510🌐 Web query:
GitHub Actions jobs.<job_id>.continue-on-error job-level semantics step failures checkout failure workflow conclusion💡 Result:
In GitHub Actions, the
continue-on-errorproperty behaves differently depending on whether it is applied to a specific step or an entire job [1]. For steps,jobs.<job_id>.steps[*].continue-on-errorallows a job to continue executing subsequent steps even if the specific step fails [2]. When a step withcontinue-on-error: truefails, the step'soutcomeisfailure, but its finalconclusionis recorded assuccess[3][4]. This allows the job to proceed, effectively masking the failure at the step level [2]. For jobs,jobs.<job_id>.continue-on-errorprevents the entire workflow run from failing if the specific job fails [1]. When set totrue, the workflow run is permitted to pass even if that job fails [1]. It is important to note that usingcontinue-on-errordoes not make the job "succeed" in a technical sense; it primarily affects the workflow's overall completion status [5][4]. Because the job itself may still report a failure internally, conditional expressions likeif: failure()orneeds.<job_id>.resultmay behave unexpectedly if you rely on them to detect the "true" outcome of a job [6][5]. The job's internal failure status remains, which can impact dependent jobs if they are configured to run based on the outcome of the job that usedcontinue-on-error[5][7]. If a job fails or is skipped, all downstream jobs that depend on it are typically skipped unless they use conditional expressions to continue [7].Citations:
continue-on-errorshould not returnsuccessinneeds_job_resultactions/toolkit#1739Move
continue-on-errorto the Semgrep scan step. At the job level, checkout or container setup failures also become advisory, so the workflow can pass without ever running Semgrep.🤖 Prompt for AI Agents