Affected Workflow
Security (go-security, pr-security-scan)
Workflow Version / Ref
@develop (PR #144)
Bug Description
In the pr-security-reporter composite, the output from actions/github-script is parsed by a subsequent step using jq. If the script step fails or returns empty/malformed JSON, jq falls back to false silently via the // false default operator.
A real failure in the github-script step (API error, rate limit, malformed response) gets swallowed — the reporter silently reports "no issues found" instead of surfacing the error.
Steps to Reproduce
- Use
pr-security-reporter composite in a workflow
- Trigger a scenario where
actions/github-script fails (e.g. API rate limit, network error)
- Observe that the subsequent
jq step defaults to false and continues without error
- No warning or failure is surfaced — clean result reported incorrectly
Expected Behavior
The step should validate that $RESULT is non-empty and valid JSON before parsing. If either check fails, emit a warning annotation or fail the step so real errors are visible.
Relevant Logs / Error Output
N/A — the bug is that no error is shown when it should be.
Caller Workflow Configuration
N/A — issue is internal to the composite.
Checklist
Additional Context
Found during review of PR #144 (pr-security-scan refact). Suggested fix: add explicit validation before the jq parse — check non-empty + valid JSON (echo "$RESULT" | jq empty), fail or warn if invalid.
Affected Workflow
Security (go-security, pr-security-scan)
Workflow Version / Ref
@develop (PR #144)
Bug Description
In the
pr-security-reportercomposite, the output fromactions/github-scriptis parsed by a subsequent step usingjq. If the script step fails or returns empty/malformed JSON,jqfalls back tofalsesilently via the// falsedefault operator.A real failure in the github-script step (API error, rate limit, malformed response) gets swallowed — the reporter silently reports "no issues found" instead of surfacing the error.
Steps to Reproduce
pr-security-reportercomposite in a workflowactions/github-scriptfails (e.g. API rate limit, network error)jqstep defaults tofalseand continues without errorExpected Behavior
The step should validate that
$RESULTis non-empty and valid JSON before parsing. If either check fails, emit a warning annotation or fail the step so real errors are visible.Relevant Logs / Error Output
N/A — the bug is that no error is shown when it should be.
Caller Workflow Configuration
N/A — issue is internal to the composite.
Checklist
Additional Context
Found during review of PR #144 (pr-security-scan refact). Suggested fix: add explicit validation before the jq parse — check non-empty + valid JSON (
echo "$RESULT" | jq empty), fail or warn if invalid.