From 644b28a5d9c937e6e9402b9e678a11a12f0a0fbf Mon Sep 17 00:00:00 2001 From: Ruben Halman Date: Wed, 26 Nov 2025 01:36:08 +0100 Subject: [PATCH 1/6] add lfs action to scan and test pr flow --- .github/workflows/scanAndTest.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/scanAndTest.yml b/.github/workflows/scanAndTest.yml index 16daa737d..3b66ead08 100644 --- a/.github/workflows/scanAndTest.yml +++ b/.github/workflows/scanAndTest.yml @@ -182,6 +182,20 @@ jobs: # If the env variable does not equal 'all', we know that there is a list of # tests that can be run + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Flow Scanner + id: scanner + uses: Flow-Scanner/lightning-flow-scanner-action@v2.1.1 + with: + outputMode: sarif # optional (default) + + - name: Upload SARIF to Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scanner.outputs.sarifPath }} + - name: 'Check-only deploy delta changes - run specified tests' if: ${{ env.APEX_TESTS != 'all' }} run: | From 32006527824cd8c114740db58409233fa37e181b Mon Sep 17 00:00:00 2001 From: Ruben Halman Date: Wed, 26 Nov 2025 01:39:22 +0100 Subject: [PATCH 2/6] run lfs in original dir --- .github/workflows/scanAndTest.yml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.github/workflows/scanAndTest.yml b/.github/workflows/scanAndTest.yml index 3b66ead08..1151acbb2 100644 --- a/.github/workflows/scanAndTest.yml +++ b/.github/workflows/scanAndTest.yml @@ -154,6 +154,18 @@ jobs: - name: 'Authenticate to Integration Org' run: sfdx auth:sfdxurl:store -f ./SFDX_INTEGRATION_URL.txt -s -a integration + # Run Lightning Flow Scanner + - name: Run Flow Scanner + id: scanner + uses: Flow-Scanner/lightning-flow-scanner-action@v2.1.1 + with: + outputMode: sarif # optional (default) + + - name: Upload SARIF to Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scanner.outputs.sarifPath }} + # We use SFDX Git Delta to create a directory with only the metadata that has changed. # this allows us to deploy only those changes, as opposed to deploying the entire branch. # This helps reducing deployment times @@ -182,20 +194,6 @@ jobs: # If the env variable does not equal 'all', we know that there is a list of # tests that can be run - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Flow Scanner - id: scanner - uses: Flow-Scanner/lightning-flow-scanner-action@v2.1.1 - with: - outputMode: sarif # optional (default) - - - name: Upload SARIF to Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scanner.outputs.sarifPath }} - - name: 'Check-only deploy delta changes - run specified tests' if: ${{ env.APEX_TESTS != 'all' }} run: | From aa5d7c3ac76058078b2a405e8f59000f7685eff2 Mon Sep 17 00:00:00 2001 From: Ruben Halman Date: Fri, 30 Jan 2026 12:19:57 +0100 Subject: [PATCH 3/6] create seperate lfs workflow file --- .github/workflows/scanAndTest.yml | 12 ------------ .github/workflows/scanFlows.yml | 31 +++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/scanFlows.yml diff --git a/.github/workflows/scanAndTest.yml b/.github/workflows/scanAndTest.yml index 1151acbb2..16daa737d 100644 --- a/.github/workflows/scanAndTest.yml +++ b/.github/workflows/scanAndTest.yml @@ -154,18 +154,6 @@ jobs: - name: 'Authenticate to Integration Org' run: sfdx auth:sfdxurl:store -f ./SFDX_INTEGRATION_URL.txt -s -a integration - # Run Lightning Flow Scanner - - name: Run Flow Scanner - id: scanner - uses: Flow-Scanner/lightning-flow-scanner-action@v2.1.1 - with: - outputMode: sarif # optional (default) - - - name: Upload SARIF to Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scanner.outputs.sarifPath }} - # We use SFDX Git Delta to create a directory with only the metadata that has changed. # this allows us to deploy only those changes, as opposed to deploying the entire branch. # This helps reducing deployment times diff --git a/.github/workflows/scanFlows.yml b/.github/workflows/scanFlows.yml new file mode 100644 index 000000000..e097d493c --- /dev/null +++ b/.github/workflows/scanFlows.yml @@ -0,0 +1,31 @@ +name: Scan Flows + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + scan-flows: + runs-on: ubuntu-latest + permissions: + contents: read # Read flow files + pull-requests: read # List changed files in PR + security-events: write # Upload SARIF to Code Scanning + actions: read # Required to gather metadata for telemetry + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Lightning Flow Scan + id: flowscanner + uses: Flow-Scanner/lightning-flow-scanner@action-v3.5.0 + with: + sarif-only: true + + - name: Upload SARIF to Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.flowscanner.outputs.sarifPath }} \ No newline at end of file From 7afc1e4c62ed9784ec3c5ceee8f149fb4ebdfb23 Mon Sep 17 00:00:00 2001 From: Ruben Halman Date: Fri, 30 Jan 2026 12:25:52 +0100 Subject: [PATCH 4/6] set sarif mode to false --- .github/workflows/scanFlows.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/scanFlows.yml b/.github/workflows/scanFlows.yml index e097d493c..c61497860 100644 --- a/.github/workflows/scanFlows.yml +++ b/.github/workflows/scanFlows.yml @@ -23,9 +23,9 @@ jobs: id: flowscanner uses: Flow-Scanner/lightning-flow-scanner@action-v3.5.0 with: - sarif-only: true + sarif-only: false - - name: Upload SARIF to Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.flowscanner.outputs.sarifPath }} \ No newline at end of file + # - name: Upload SARIF to Code Scanning + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: ${{ steps.flowscanner.outputs.sarifPath }} \ No newline at end of file From c7c1a98cf8801ff4f14861c89dbb4a12a6c46cf6 Mon Sep 17 00:00:00 2001 From: Ruben Halman Date: Fri, 30 Jan 2026 13:27:32 +0100 Subject: [PATCH 5/6] add .flow-scanner.yml --- .flow-scanner.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .flow-scanner.yml diff --git a/.flow-scanner.yml b/.flow-scanner.yml new file mode 100644 index 000000000..ff3c88316 --- /dev/null +++ b/.flow-scanner.yml @@ -0,0 +1,14 @@ +# Disables layout and documentation related rules for Flow Scanner +rules: + missing-flow-description: + enabled: false + inactive-flow: + enabled: false + missing-fault-path: + enabled: false + invalid-naming-convention: + enabled: false + invalid-api-version: + enabled: false + unspecified-trigger-order: + enabled: false \ No newline at end of file From 89e3877e4050dfcc877db1d330220b356ea346f9 Mon Sep 17 00:00:00 2001 From: Ruben Halman Date: Fri, 30 Jan 2026 13:29:12 +0100 Subject: [PATCH 6/6] turn off auto fixable rules --- .flow-scanner.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.flow-scanner.yml b/.flow-scanner.yml index ff3c88316..924293313 100644 --- a/.flow-scanner.yml +++ b/.flow-scanner.yml @@ -11,4 +11,10 @@ rules: invalid-api-version: enabled: false unspecified-trigger-order: + enabled: false + missing-auto-layout: + enabled: false + unused-variable: + enabled: false + unreachable-element: enabled: false \ No newline at end of file