From 3eda470b45a67767bd65cd0a3369071f5915cf24 Mon Sep 17 00:00:00 2001 From: Andreas Maier Date: Sun, 12 Apr 2026 13:02:41 +0200 Subject: [PATCH] Show error in Actions summary for safety issues in normal/scheduled runs Details: * Safety issues that are detected in normal and scheduled Actions runs now cause an error to be shown in the Actions summary. They still (intentionally) do not cause the Actions run to fail. Note that safety issues detected during an Actions release run, or during local use, do cause the make command and Actions run to fail. * In addition, the safety command is now always run for both development and install before checking for failure. Signed-off-by: Andreas Maier --- Makefile | 17 +++++++++++++++-- changes/noissue.33.feature.rst | 6 ++++++ 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 changes/noissue.33.feature.rst diff --git a/Makefile b/Makefile index a3f5e269..96b8031b 100644 --- a/Makefile +++ b/Makefile @@ -443,8 +443,21 @@ pylint: $(done_dir)/pylint_$(pymn)_$(PACKAGE_LEVEL).done .PHONY: safety safety: Makefile $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done $(safety_develop_policy_file) $(safety_install_policy_file) minimum-constraints-develop.txt minimum-constraints-install.txt - safety check --policy-file $(safety_develop_policy_file) -r minimum-constraints-develop.txt --full-report || test '$(RUN_TYPE)' == 'normal' || test '$(RUN_TYPE)' == 'scheduled' || exit 1 - safety check --policy-file $(safety_install_policy_file) -r minimum-constraints-install.txt --full-report || test '$(RUN_TYPE)' == 'normal' || exit 1 + safety check --policy-file $(safety_develop_policy_file) -r minimum-constraints-develop.txt --full-report; \ + rc_dev=$$?; \ + safety check --policy-file $(safety_install_policy_file) -r minimum-constraints-install.txt --full-report; \ + rc_ins=$$?; \ + where=""; \ + if [[ $${rc_dev} -ne 0 ]]; then where="development"; fi; \ + if [[ $${rc_ins} -ne 0 ]]; then where="$${where:+$$where,}install"; fi; \ + if [[ -n $${where} ]]; then \ + if [[ "$(RUN_TYPE)" == "release" || "$(RUN_TYPE)" == "local" ]]; then \ + echo "Safety issues found in $${where}"; \ + exit 1; \ + else \ + echo "::error::Safety issues found in $${where} - They need to be fixed before the next release"; \ + fi; \ + fi @echo "Makefile: $@ done." .PHONY: bandit diff --git a/changes/noissue.33.feature.rst b/changes/noissue.33.feature.rst new file mode 100644 index 00000000..0a3868df --- /dev/null +++ b/changes/noissue.33.feature.rst @@ -0,0 +1,6 @@ +Dev: Safety issues that are detected in normal and scheduled Actions runs +now cause an error to be shown in the Actions summary. They still +(intentionally) do not cause the Actions run to fail. Note that safety issues +detected during an Actions release run, or during local use, do cause the +make command and Actions run to fail. In addition, the safety command is now +always run for both development and install before checking for failure.