fix(action): honor exit codes under bash -e (restore set +e)#11
Merged
Conversation
…r bash -e GitHub runs `shell: bash` steps with -e (`bash --noprofile --norc -e -o pipefail`). leakwatch legitimately exits 1 when it reports findings, so the scan aborted the step *before* the exit-code mapping — meaning fail-on-findings: false was ignored and the action failed on any findings. (The pre-rewrite action had `set +e` here; it was dropped during the Marketplace rewrite.) - action.yml: `set +e` before the leakwatch call; the script maps 0/1/>=2 itself. - action-test.yml (cli-github-format): `|| true` on the `out=$(leakwatch …)` capture so it doesn't abort under -e either. Verified by reproducing GitHub's `bash -e -o pipefail`: without the fix the mapping is skipped and the step exits 1; with it the mapping runs and the step honors fail-on-findings. The run-action self-test (fail-on-findings: false) and cli-github-format job are the regression guards. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
GitHub runs
shell: bashsteps with errexit —bash --noprofile --norc -e -o pipefail {0}.leakwatchlegitimately exits 1 when it reports findings, so the action's Run scan step aborted at theleakwatchcall before the exit-code mapping ran. Consequences onmain(merged in #10):fail-on-findings: falsewas effectively ignored — any findings failed the step.findings-count/sarif-fileoutputs and the job summary were not produced on a findings run.cli-github-formatself-test'sout="$(leakwatch …)"capture aborted the same way.The pre-rewrite action had
set +earound the scan; it was dropped during the Marketplace rewrite. CI (action-test) caught it.Fix
action.yml:set +eimmediately before theleakwatchcall so the script maps0/1/>=2itself (the explicit mapping already exists below)..github/workflows/action-test.yml(cli-github-format):|| trueon the output capture so it doesn't abort under-eeither.Verification
Reproduced GitHub's
bash -e -o pipefaillocally: without the fix the mapping is skipped and the step exits 1; with it the mapping runs andfail-on-findingsis honored.actionlint+shellcheckclean. Therun-action(withfail-on-findings: false) andcli-github-formatself-test jobs are the regression guards.🤖 Generated with Claude Code