Skip to content

Commit 43a4cd7

Browse files
jbprosclaudepbeckham
authored
fix: use explicit input instead of github.ref for Kosli reporting conditions (#727)
* fix: use explicit input instead of github.ref for Kosli reporting conditions In pull_request_target events, github.ref resolves to the base branch (e.g. refs/heads/main), not the PR head. This meant Kosli reporting conditions like `github.ref == 'refs/heads/main'` were true for every PR targeting main, potentially causing spurious reports. The fix computes a `report_to_kosli` boolean once in the caller (main.yml pre-build) based on the actual event and ref, then passes it as an explicit input to the reusable workflows (init_kosli.yml, test.yml, docker.yml). This also fixes two operator-precedence bugs in docker.yml where `||` vs `&&` grouping was wrong. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: default report_to_kosli to false, require explicit opt-in Callers must now explicitly pass report_to_kosli/report_results: true. This prevents accidental Kosli reporting if a new caller forgets to set the input. Updated release.yml to explicitly opt in. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: only report to Kosli on push events to main or tags Dependabot PRs (pull_request_target) have GITHUB_REF set to the base branch (refs/heads/main), which caused report_to_kosli to be true. Now we also require the event to be a push, so only actual pushes to main or tag releases trigger Kosli reporting. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: skip PR and never-alone attestations on tag releases These attestations only make sense for main branch pushes, not tag releases. Added a separate report_pr_attestations input to init_kosli.yml (default false) that main.yml sets to true only for pushes to main. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: use single report_to_kosli string with none/all/release values Replace the two boolean inputs (report_to_kosli + report_pr_attestations) with a single string input across all reusable workflows: - "none": no Kosli reporting (default) - "all": full reporting including PR and never-alone attestations (main) - "release": reporting without PR/never-alone attestations (tags) Also renamed test.yml's report_results to report_to_kosli for consistency across all workflows. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Peter Beckham <peter.beckham@kosli.com>
1 parent 8d777b6 commit 43a4cd7

5 files changed

Lines changed: 39 additions & 16 deletions

File tree

.github/workflows/docker.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,10 @@ on:
2525
required: false
2626
type: string
2727
default: ''
28+
report_to_kosli:
29+
required: false
30+
type: string
31+
default: 'none'
2832
secrets:
2933
slack_channel:
3034
required: true
@@ -134,7 +138,7 @@ jobs:
134138

135139

136140
- name: Report Docker image to Kosli
137-
if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
141+
if: ${{ inputs.report_to_kosli != 'none' }}
138142
env:
139143
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
140144
run:
@@ -149,7 +153,7 @@ jobs:
149153

150154

151155
- name: Report SBOM to Kosli
152-
if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
156+
if: ${{ inputs.report_to_kosli != 'none' }}
153157
env:
154158
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
155159
run:
@@ -174,7 +178,7 @@ jobs:
174178

175179

176180
- name: Report Snyk Docker scan results attestation to Kosli
177-
if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') && (success() || failure()) }}
181+
if: ${{ inputs.report_to_kosli != 'none' && (success() || failure()) }}
178182
env:
179183
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
180184
run:
@@ -198,7 +202,7 @@ jobs:
198202
list environments
199203

200204
- name: Report Docker smoke test attestation to Kosli
201-
if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') && (success() || failure()) }}
205+
if: ${{ inputs.report_to_kosli != 'none' && (success() || failure()) }}
202206
env:
203207
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
204208
SMOKE_TEST_OUTCOME: ${{ steps.smoke-test.outcome}}

.github/workflows/init_kosli.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,10 @@ on:
1919
required: false
2020
type: string
2121
default: ''
22+
report_to_kosli:
23+
required: false
24+
type: string
25+
default: 'none'
2226
secrets:
2327
kosli_api_token:
2428
required: true
@@ -54,7 +58,7 @@ jobs:
5458
if_false: "CLI main branch changes"
5559

5660
- name: Update Kosli Flow
57-
if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
61+
if: ${{ inputs.report_to_kosli != 'none' }}
5862
env:
5963
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
6064
run: kosli create flow ${{inputs.flow_name}}
@@ -63,15 +67,15 @@ jobs:
6367
--org ${{inputs.kosli_org}}
6468

6569
- name: Init Kosli Trail
66-
if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
70+
if: ${{ inputs.report_to_kosli != 'none' }}
6771
env:
6872
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
6973
run: kosli begin trail ${{inputs.trail_name}}
7074
--flow ${{inputs.flow_name}}
7175
--org ${{inputs.kosli_org}}
7276

7377
- name: Report pull-request attestation to Kosli
74-
if: ${{ github.ref == 'refs/heads/main' }}
78+
if: ${{ inputs.report_to_kosli == 'all' }}
7579
env:
7680
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
7781
run: kosli attest pullrequest github
@@ -83,7 +87,7 @@ jobs:
8387

8488

8589
- name: Report never-alone attestation to Kosli
86-
if: ${{ github.ref == 'refs/heads/main' }}
90+
if: ${{ inputs.report_to_kosli == 'all' }}
8791
env:
8892
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
8993
KOSLI_ORG: ${{ inputs.kosli_org }}

.github/workflows/main.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ jobs:
1919
trail_name: ${{ steps.prep.outputs.trail_name }}
2020
trail_template_file: ${{ steps.prep.outputs.trail_template_file }}
2121
checkout_ref: ${{ steps.prep.outputs.checkout_ref }}
22+
report_to_kosli: ${{ steps.prep.outputs.report_to_kosli }}
2223
steps:
2324
- uses: actions/checkout@v6
2425
with:
@@ -50,6 +51,14 @@ jobs:
5051
echo "TRAIL_TEMPLATE_FILE=${TRAIL_TEMPLATE_FILE}" >> $GITHUB_ENV
5152
echo "trail_template_file=$TRAIL_TEMPLATE_FILE" >> $GITHUB_OUTPUT
5253
54+
if [ "${{ github.event_name }}" == "push" ] && [ "${GITHUB_REF}" == "refs/heads/main" ]; then
55+
echo "report_to_kosli=all" >> $GITHUB_OUTPUT
56+
elif [ "${{ github.event_name }}" == "push" ] && [[ "${GITHUB_REF}" == refs/tags/* ]]; then
57+
echo "report_to_kosli=release" >> $GITHUB_OUTPUT
58+
else
59+
echo "report_to_kosli=none" >> $GITHUB_OUTPUT
60+
fi
61+
5362
init-kosli:
5463
needs: [pre-build]
5564
uses: ./.github/workflows/init_kosli.yml
@@ -59,6 +68,7 @@ jobs:
5968
FLOW_TEMPLATE_FILE: ${{ needs.pre-build.outputs.trail_template_file }}
6069
KOSLI_ORG: kosli-public
6170
checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
71+
report_to_kosli: ${{ needs.pre-build.outputs.report_to_kosli }}
6272
secrets:
6373
kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
6474
pr_github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -73,6 +83,7 @@ jobs:
7383
TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
7484
KOSLI_ORG: kosli-public
7585
checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
86+
report_to_kosli: ${{ needs.pre-build.outputs.report_to_kosli }}
7687
secrets:
7788
github_access_token: ${{ secrets.KOSLI_GITHUB_TOKEN }}
7889
gitlab_access_token: ${{ secrets.KOSLI_GITLAB_TOKEN }}
@@ -98,6 +109,7 @@ jobs:
98109
trail_name: ${{ needs.pre-build.outputs.trail_name }}
99110
kosli_org: kosli-public
100111
checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
112+
report_to_kosli: ${{ needs.pre-build.outputs.report_to_kosli }}
101113
secrets:
102114
slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
103115
slack_channel: ci-failures

.github/workflows/release.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ jobs:
3939
TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
4040
FLOW_TEMPLATE_FILE: ${{ needs.pre-build.outputs.trail_template_file }}
4141
KOSLI_ORG: kosli-public
42+
report_to_kosli: release
4243
secrets:
4344
kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
4445
pr_github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -67,6 +68,7 @@ jobs:
6768
FLOW_NAME: cli-release
6869
TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
6970
KOSLI_ORG: kosli-public
71+
report_to_kosli: release
7072
secrets:
7173
github_access_token: ${{ secrets.KOSLI_GITHUB_TOKEN }}
7274
gitlab_access_token: ${{ secrets.KOSLI_GITLAB_TOKEN }}
@@ -91,6 +93,7 @@ jobs:
9193
flow_name: cli-release
9294
trail_name: ${{ needs.pre-build.outputs.trail_name }}
9395
kosli_org: kosli-public
96+
report_to_kosli: release
9497
secrets:
9598
slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
9699
slack_channel: ci-failures

.github/workflows/test.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,10 @@ on:
2626
required: false
2727
type: boolean
2828
default: true
29-
report_results:
29+
report_to_kosli:
3030
required: false
31-
type: boolean
32-
default: true
31+
type: string
32+
default: 'none'
3333
checkout_ref:
3434
required: false
3535
type: string
@@ -96,7 +96,7 @@ jobs:
9696
args: --timeout=5m -v
9797

9898
- name: Report lint to Kosli
99-
if: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && (success() || failure()) && inputs.report_results }}
99+
if: ${{ (success() || failure()) && inputs.report_to_kosli != 'none' }}
100100
env:
101101
KOSLI_API_TOKEN: ${{ secrets.kosli_reporting_api_token }}
102102
run: kosli attest generic
@@ -162,7 +162,7 @@ jobs:
162162
make test_integration_full
163163
164164
- name: Report test to Kosli
165-
if: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && (success() || failure()) && inputs.report_results }}
165+
if: ${{ (success() || failure()) && inputs.report_to_kosli != 'none' }}
166166
env:
167167
KOSLI_API_TOKEN: ${{ secrets.kosli_reporting_api_token }}
168168
run: kosli attest junit
@@ -173,7 +173,7 @@ jobs:
173173
--org ${{ inputs.KOSLI_ORG }}
174174

175175
- name: Upload coverage reports to Codecov
176-
if: ${{ inputs.report_results }}
176+
if: ${{ inputs.report_to_kosli != 'none' }}
177177
uses: codecov/codecov-action@v4
178178

179179
snyk-code-test:
@@ -205,7 +205,7 @@ jobs:
205205
snyk code test --sarif --policy-path=.snyk --sarif-file-output=snyk-code.json --prune-repeated-subdependencies
206206

207207
- name: Report Snyk Code to Kosli
208-
if: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && (success() || failure()) && inputs.report_results }}
208+
if: ${{ (success() || failure()) && inputs.report_to_kosli != 'none' }}
209209
env:
210210
KOSLI_API_TOKEN: ${{ secrets.kosli_reporting_api_token }}
211211
run: kosli attest snyk
@@ -244,7 +244,7 @@ jobs:
244244
snyk test --sarif --policy-path=.snyk --sarif-file-output=snyk-dependency.json --prune-repeated-subdependencies
245245

246246
- name: Report Snyk Test to Kosli
247-
if: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) && (success() || failure()) && inputs.report_results }}
247+
if: ${{ (success() || failure()) && inputs.report_to_kosli != 'none' }}
248248
env:
249249
KOSLI_API_TOKEN: ${{ secrets.kosli_reporting_api_token }}
250250
run: kosli attest snyk

0 commit comments

Comments
 (0)