Skip to content

Commit f7762d0

Browse files
committed
fix(action): empty defaults for github-context inputs (composite actions reject expressions in input defaults)
CI failure on PR #74's Action smoke job: TemplateValidationException: Unrecognized named-value: 'github'. Located at position 1 within expression: github.base_ref / github.token GitHub composite actions do NOT allow ${{ github.* }} expressions in input defaults. Only `runs:` step expressions can reference the github context. Two inputs were affected: - `audit-base`: now defaults to "". The existing run step already does `BASE="${AUDIT_BASE:-$BASE_REF}"` where `BASE_REF: ${{ github.base_ref }}` is set as an env var (legal in step env blocks), so empty-input → PR base_ref behavior is preserved. - `token`: now defaults to "". Two call sites (`upload-sarif` step's `token:` arg + `pr-comment` step's `GH_TOKEN`) now use `${{ inputs.token != '' && inputs.token || github.token }}` to fall back to `github.token` when unset. Both inputs' descriptions updated to document the empty-falls-back behavior so consumers know what to expect.
1 parent e35f820 commit f7762d0

1 file changed

Lines changed: 5 additions & 5 deletions

File tree

action.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ inputs:
4242
required: false
4343
default: ""
4444
audit-base:
45-
description: "Git ref to audit against (when mode=audit). Default: ${{ github.base_ref }} on pull_request events."
45+
description: "Git ref to audit against (when mode=audit). Empty (default) → falls back to `github.base_ref` on `pull_request` events; on other events the action no-ops unless an explicit `command:` is set."
4646
required: false
4747
default: ""
4848
changed-since:
@@ -80,9 +80,9 @@ inputs:
8080
required: false
8181
default: "any"
8282
token:
83-
description: "GitHub token for SARIF upload + PR comment posting. Default: ${{ github.token }}."
83+
description: "GitHub token for SARIF upload + PR comment posting. Empty (default) → falls back to `github.token` automatically. Pass an explicit fine-grained PAT only if you need elevated permissions."
8484
required: false
85-
default: ${{ github.token }}
85+
default: ""
8686

8787
outputs:
8888
agent:
@@ -238,7 +238,7 @@ runs:
238238
uses: github/codeql-action/upload-sarif@v3
239239
with:
240240
sarif_file: ${{ inputs.working-directory }}/${{ inputs.output-path }}
241-
token: ${{ inputs.token }}
241+
token: ${{ inputs.token != '' && inputs.token || github.token }}
242242

243243
- name: Post PR summary comment
244244
if: steps.gate.outputs.skip != 'true' && inputs.pr-comment == 'true' && github.event_name == 'pull_request' && always()
@@ -248,7 +248,7 @@ runs:
248248
EXEC: ${{ steps.detect-pm.outputs.exec }}
249249
OUTPUT_PATH: ${{ inputs.output-path }}
250250
PR_NUMBER: ${{ github.event.pull_request.number }}
251-
GH_TOKEN: ${{ inputs.token }}
251+
GH_TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
252252
run: |
253253
# Render the markdown body via `codemap pr-comment`, then post via
254254
# `gh pr comment`. The same binary that produced the SARIF / JSON

0 commit comments

Comments
 (0)