Fail the step if CVE is found (job is non-blocking)

rmoff · rmoff · commit d1b2ca2cd5d3 · 2026-04-17T12:14:02.000+01:00
diff --git a/.github/workflows/kafka-connect-ci.yml b/.github/workflows/kafka-connect-ci.yml
@@ -114,12 +114,8 @@ jobs:
     # a single scan avoids redundant work.
     #
     # Behaviour:
-    #   - Flag, don't block: the scan step uses exit-code 1 so it
-    #     "fails" when CVEs are found, but continue-on-error keeps
-    #     the overall job green. GitHub Actions shows the step with
-    #     an orange warning icon. This is the only mechanism Actions
-    #     provides for "visible but non-blocking" — there is no way
-    #     to show a red step while keeping the job green.
+    #   - If a CVE is found, the step will fail. However, since this job
+    #     is not a required one, it will not block merging.
     #   - On push to main/release branches: results are uploaded as
     #     SARIF to the GitHub Security tab for ongoing tracking.
     #   - On PRs: SARIF upload is skipped because GitHub's Security
@@ -139,12 +135,9 @@ jobs:
         unzip kafka-connect/kafka-connect-runtime/build/distributions/iceberg-kafka-connect-runtime-*.zip \
           -d /tmp/kafka-connect-scan
     # Scan and output results as SARIF (for upload on push) while also
-    # printing a human-readable summary to the CI log. exit-code 1 means
-    # the step fails when CVEs are found; continue-on-error means the
-    # job continues and the step shows as orange (not red) in the UI.
+    # printing a human-readable summary to the CI log.
     - name: Run Trivy vulnerability scan
       if: matrix.jvm == 21
-      continue-on-error: true
       uses: lhotari/sandboxed-trivy-action@f01374b6cc3bf7264ab238293e94f6db7ada6dd0 # v1.0.2
       with:
         scan-type: 'rootfs'
@@ -157,7 +150,7 @@ jobs:
     # Print human-readable results to the CI log so they're visible
     # without downloading the SARIF file.
     - name: Print Trivy scan results
-      if: matrix.jvm == 21
+      if: always() && matrix.jvm == 21
       run: |
         if [ -f trivy-results.sarif ]; then
           echo "## Trivy CVE Scan Results"
@@ -166,7 +159,7 @@ jobs:
           echo "No SARIF file found — scan may have failed to install."
         fi
     - name: Upload Trivy results to GitHub Security tab
-      if: matrix.jvm == 21 && github.event_name == 'push'
+      if: always() && matrix.jvm == 21 && github.event_name == 'push'
       uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
       with:
         sarif_file: 'trivy-results.sarif'
