build: fail on poutine violation

mbarbero · mbarbero · commit fdbde65aa064 · 2026-03-23T12:30:21.000+01:00
Signed-off-by: Mikaël Barbero &lt;mikael.barbero@eclipse-foundation.org&gt;
diff --git a/.github/workflows/ci-guardrails.yml b/.github/workflows/ci-guardrails.yml
@@ -83,7 +83,7 @@ jobs:
         run: |
           # poutine emits an all-zero GUID that fails GitHub's UUID validation;
           # pipe through jq to replace it with a valid RFC-4122 nil-equivalent.
-          poutine analyze_local "${GITHUB_WORKSPACE}" -f sarif \
+          poutine analyze_local "${GITHUB_WORKSPACE}" -f sarif --fail-on-violation \
             | jq '(.runs[].tool.driver.supportedTaxonomies[] | select(.guid == "00000000-0000-0000-0000-000000000000")).guid = "00000000-0000-1000-8000-000000000000"' \
             > poutine_results.sarif
 
@@ -94,7 +94,7 @@ jobs:
 
       - name: Fail if poutine reported findings
         if: steps.poutine.outcome == 'failure'
-        run: poutine analyze_local "${GITHUB_WORKSPACE}"
+        run: poutine analyze_local "${GITHUB_WORKSPACE}" --fail-on-violation
 
   trufflehog:
     name: Analyze (TruffleHog)
diff --git a/prek.toml b/prek.toml
@@ -108,7 +108,7 @@ hooks = [
     name = "Analyze workflows (Poutine)",
     language = "system",
     entry = "poutine",
-    args = ["analyze_local", ".", "--format", "pretty"],
+    args = ["analyze_local", ".", "--format", "pretty", "--fail-on-violation"],
     files = '^\.github/workflows/.*\.ya?ml$|^\.github/actions/.*\.ya?ml$',
     pass_filenames = false,
   },
