fix(action): restore set +e so a findings exit (1) doesn't abort unde…

[cemililik]

…r bash -e

GitHub runs shell: bash steps with -e (bash --noprofile --norc -e -o pipefail). leakwatch legitimately exits 1 when it reports findings, so the scan aborted the step before the exit-code mapping — meaning fail-on-findings: false was ignored and the action failed on any findings. (The pre-rewrite action had set +e here; it was dropped during the Marketplace rewrite.)

• action.yml: set +e before the leakwatch call; the script maps 0/1/>=2 itself.
• action-test.yml (cli-github-format): || true on the out=$(leakwatch …) capture so it doesn't abort under -e either.

Verified by reproducing GitHub's bash -e -o pipefail: without the fix the mapping is skipped and the step exits 1; with it the mapping runs and the step honors fail-on-findings. The run-action self-test (fail-on-findings: false) and cli-github-format job are the regression guards.

Summary by Sourcery

Ensure the GitHub Action correctly handles leakwatch's exit codes when running under bash -e so that fail-on-findings behaves as configured instead of always failing on findings.

Bug Fixes:

• Prevent the action step from aborting early under GitHub's default bash -e when leakwatch exits 1 due to findings, allowing exit-code mapping and fail-on-findings to work as intended.

CI:

• Adjust the action-test workflow to tolerate leakwatch's non-zero exit code in the GitHub-format test so the job doesn't prematurely fail under bash -e.

Summary by CodeRabbit

• Bug Fixes
  • Updated GitHub Actions workflow and composite action to properly handle and capture scan results when security findings are detected, preventing premature workflow failure.

[gemini-code-assist]

Important

Installation incomplete: to start using Gemini Code Assist, please ask the organization owner(s) to visit the Gemini Code Assist Admin Console and sign the Terms of Services.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR adjusts how the GitHub Action and its test workflow handle leakwatch’s non-zero exit code under GitHub’s default bash -e behavior so that findings don’t prematurely abort the step and the existing exit-code mapping and fail-on-findings logic can run as intended.

Sequence diagram for GitHub Action handling leakwatch exit codes under bash -e

sequenceDiagram
    participant bash
    participant leakwatch

    bash->>bash: set_plus_e
    bash->>leakwatch: leakwatch ARGS
    leakwatch-->>bash: exit 0_or_1_or_ge_2
    bash->>bash: EXIT_CODE=$?
    alt [fail-on-findings is false]
        bash->>bash: exit 0
    else [fail-on-findings is true]
        bash->>bash: exit EXIT_CODE
    end

Loading

File-Level Changes

Change	Details	Files
Prevent bash -e from aborting the action before leakwatch’s exit code is mapped.	Add set +e immediately before invoking leakwatch so the scan can exit 0/1/>=2 without aborting the step. Preserve the captured exit code in EXIT_CODE for downstream mapping logic to honor fail-on-findings behavior.	action.yml
Make the CLI GitHub-format workflow test resilient to leakwatch’s exit 1 under bash -e.	Wrap the leakwatch invocation in the test workflow with `

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b36424fc-d9b4-46ac-b269-a4bfd6906dfe

📥 Commits

Reviewing files that changed from the base of the PR and between c8e476e and 610ec91.

📒 Files selected for processing (2)

• .github/workflows/action-test.yml
• action.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions exit-code handling for the leakwatch binary is improved across two configuration files. The composite action disables errexit before invoking leakwatch, and the test workflow appends || true to the scan command with updated comments, allowing both to capture non-zero exit codes without step failure.

Changes

Leakwatch exit-code handling in GitHub Actions

Layer / File(s)	Summary
Composite action exit-code handling action.yml	set +e is added before the leakwatch scan invocation to disable errexit, enabling subsequent manual capture and mapping of the process exit code to outputs and step failures.
Test workflow github-format scanning with output capture .github/workflows/action-test.yml	The cli-github-format job appends `

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

A rabbit hops through GitHub's weave,
With exit codes caught on bash's eve,
No more shall steps in silence fail,
When leakwatch speaks its findings tale! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main fix: restoring set +e to prevent findings exit code (1) from aborting the step, which is the core issue resolved by the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/github-marketplace-action

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In action.yml, consider re-enabling set -e after the leakwatch invocation so that failures in any subsequent commands in the step are not silently ignored now that errexit is globally disabled.
• In the action-test.yml job, the || true wrapper will swallow any non-1 failure modes from leakwatch as well; if you care about distinguishing real errors from expected findings in the test, it may be safer to capture $? and explicitly allow only the expected exit codes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `action.yml`, consider re-enabling `set -e` after the `leakwatch` invocation so that failures in any subsequent commands in the step are not silently ignored now that errexit is globally disabled.
- In the `action-test.yml` job, the `|| true` wrapper will swallow any non-1 failure modes from `leakwatch` as well; if you care about distinguishing real errors from expected findings in the test, it may be safer to capture `$?` and explicitly allow only the expected exit codes.

## Individual Comments

### Comment 1
<location path="action.yml" line_range="292-297" />
<code_context>
         # Do NOT echo the assembled args: path/extra-args may carry credentials
         # (tokens, authenticated URLs) that GitHub log masking would not catch.
         echo "Running leakwatch scan (type=${INPUT_SCAN_TYPE}, format=${INPUT_FORMAT})"
+        # GitHub invokes bash with -e; findings legitimately exit 1, so disable
+        # errexit around the scan and map the exit code ourselves below (otherwise
+        # the step would abort here and fail-on-findings: false would be ignored).
+        set +e
         leakwatch "${ARGS[@]}"
         EXIT_CODE=$?

</code_context>
<issue_to_address>
**suggestion (bug_risk):** Consider limiting the scope of `set +e` or restoring `-e` after the scan to avoid changing error-handling semantics for subsequent commands.

`set +e` here affects all subsequent commands in this step, so any later failures that should be fail-fast will be ignored.

Either:
- Re-enable `errexit` right after capturing the exit code (e.g., `set -e`), or
- Avoid changing global options by wrapping the scan in a conditional, for example:
  ```bash
  if ! leakwatch "${ARGS[@]}"; then
    EXIT_CODE=$?
  else
    EXIT_CODE=0
  fi
  ```

This preserves the special handling for the scan without weakening error handling for the rest of the script.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[cemililik]

Thanks @sourcery-ai — both points are valid and applied in #13:

1. errexit scope — replaced set +e with EXIT_CODE=0; leakwatch … || EXIT_CODE=$?, keeping -e on for the rest of the step; guarded the job-summary jq pipe with || true.
2. test || true — the cli-github-format job now captures $? and fails on a hard error (exit ≥ 2) while tolerating findings (0/1), instead of swallowing all failures.

Note: the underlying set +e fix this PR carries is already in main (merged via #11, shipped in v1.6.0), so #12 is redundant and would conflict on merge. Closing it in favor of #13, which applies this review feedback cleanly off main.