diff --git a/action.yml b/action.yml index bf467f73..475e54d6 100644 --- a/action.yml +++ b/action.yml @@ -236,9 +236,14 @@ runs: INPUT_CHECK_OVERRIDES: ${{ inputs.check-overrides }} INPUT_AUDIT_LOG: ${{ inputs.audit-log }} INPUT_REPORT: ${{ inputs.report }} + INPUT_FIX: ${{ inputs.fix }} run: | set -euo pipefail + if [[ "${INPUT_FIX}" == "true" && -n "${INPUT_FAIL_ON}" ]]; then + echo "::warning::fail-on is set with fix: true - job failure is suppressed so the fix step can run. Add a second scan step without fix: true if you want to gate on remaining findings after fixing." + fi + args=("${PROJECT_PATH}") if [[ "${INPUT_ALL}" == "true" ]]; then @@ -295,9 +300,14 @@ runs: args+=("--report" "${INPUT_REPORT}" "--no-open") fi - # set -e propagates the scan exit code, including exit 2 when a --fix - # verify pass fails, so the job fails the same way the CLI does. - cve-lite "${args[@]}" + if [[ "${INPUT_FIX}" == "true" ]]; then + cve-lite "${args[@]}" || EXIT_CODE=$? + if [[ "${EXIT_CODE:-0}" -gt 1 ]]; then + exit "${EXIT_CODE:-0}" + fi + else + cve-lite "${args[@]}" + fi - name: Apply security fixes if: ${{ inputs.fix == 'true' }}