From 610ec9182bd9f6fa4c3420d64eaac394c354f76a Mon Sep 17 00:00:00 2001
From: Cemil ILIK <cemililik@outlook.com>
Date: Mon, 25 May 2026 10:12:36 +0300
Subject: [PATCH] fix(action): restore set +e so a findings exit (1) doesn't
 abort under bash -e
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GitHub runs `shell: bash` steps with -e (`bash --noprofile --norc -e -o pipefail`).
leakwatch legitimately exits 1 when it reports findings, so the scan aborted the
step *before* the exit-code mapping — meaning fail-on-findings: false was ignored
and the action failed on any findings. (The pre-rewrite action had `set +e` here;
it was dropped during the Marketplace rewrite.)

- action.yml: `set +e` before the leakwatch call; the script maps 0/1/>=2 itself.
- action-test.yml (cli-github-format): `|| true` on the `out=$(leakwatch …)`
  capture so it doesn't abort under -e either.

Verified by reproducing GitHub's `bash -e -o pipefail`: without the fix the
mapping is skipped and the step exits 1; with it the mapping runs and the step
honors fail-on-findings. The run-action self-test (fail-on-findings: false) and
cli-github-format job are the regression guards.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/action-test.yml | 4 +++-
 action.yml                        | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/action-test.yml b/.github/workflows/action-test.yml
index 13a1da3..79d355d 100644
--- a/.github/workflows/action-test.yml
+++ b/.github/workflows/action-test.yml
@@ -142,7 +142,9 @@ jobs:
           set -uo pipefail
           mkdir -p _fx
           printf 'AWS_ACCESS_KEY_ID=%s%s\n' 'AKIA' 'IOSFODNN7EXAMPLE' > _fx/leak.env
-          out="$("${RUNNER_TEMP}/leakwatch" scan fs _fx --format github --no-verify 2>/dev/null)"
+          # leakwatch exits 1 on findings; `|| true` so the capture doesn't abort
+          # the step under bash -e (GitHub's default shell flags).
+          out="$("${RUNNER_TEMP}/leakwatch" scan fs _fx --format github --no-verify 2>/dev/null || true)"
           echo "$out"
           echo "$out" | grep -q '^::error .*aws-access-key-id' \
             || { echo "::error::expected an ::error annotation for aws-access-key-id"; exit 1; }
diff --git a/action.yml b/action.yml
index e15dcff..035af68 100644
--- a/action.yml
+++ b/action.yml
@@ -289,6 +289,10 @@ runs:
         # Do NOT echo the assembled args: path/extra-args may carry credentials
         # (tokens, authenticated URLs) that GitHub log masking would not catch.
         echo "Running leakwatch scan (type=${INPUT_SCAN_TYPE}, format=${INPUT_FORMAT})"
+        # GitHub invokes bash with -e; findings legitimately exit 1, so disable
+        # errexit around the scan and map the exit code ourselves below (otherwise
+        # the step would abort here and fail-on-findings: false would be ignored).
+        set +e
         leakwatch "${ARGS[@]}"
         EXIT_CODE=$?