From be1e0bedffab0f121fac2947307fa6452a96c7f4 Mon Sep 17 00:00:00 2001 From: coder-Yash886 Date: Sat, 11 Jul 2026 19:47:08 +0530 Subject: [PATCH 1/2] fix: warn and suppress fail-on exit when fix mode is active in the Action --- action.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index bf467f73..ed98554d 100644 --- a/action.yml +++ b/action.yml @@ -236,9 +236,14 @@ runs: INPUT_CHECK_OVERRIDES: ${{ inputs.check-overrides }} INPUT_AUDIT_LOG: ${{ inputs.audit-log }} INPUT_REPORT: ${{ inputs.report }} + INPUT_FIX: ${{ inputs.fix }} run: | set -euo pipefail + if [[ "${INPUT_FIX}" == "true" && -n "${INPUT_FAIL_ON}" ]]; then + echo "::warning::fail-on is set but has no effect in fix mode. Remove fail-on from your fix workflow to avoid unexpected job failures." + fi + args=("${PROJECT_PATH}") if [[ "${INPUT_ALL}" == "true" ]]; then @@ -295,9 +300,11 @@ runs: args+=("--report" "${INPUT_REPORT}" "--no-open") fi - # set -e propagates the scan exit code, including exit 2 when a --fix - # verify pass fails, so the job fails the same way the CLI does. - cve-lite "${args[@]}" + if [[ "${INPUT_FIX}" == "true" ]]; then + cve-lite "${args[@]}" || true + else + cve-lite "${args[@]}" + fi - name: Apply security fixes if: ${{ inputs.fix == 'true' }} From 1efb616bb55b6b0758f18f9d2923523e1ae311f1 Mon Sep 17 00:00:00 2001 From: coder-Yash886 Date: Mon, 13 Jul 2026 12:58:02 +0530 Subject: [PATCH 2/2] fix: only suppress exit 1 in fix mode, clarify fail-on warning --- action.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index ed98554d..475e54d6 100644 --- a/action.yml +++ b/action.yml @@ -241,7 +241,7 @@ runs: set -euo pipefail if [[ "${INPUT_FIX}" == "true" && -n "${INPUT_FAIL_ON}" ]]; then - echo "::warning::fail-on is set but has no effect in fix mode. Remove fail-on from your fix workflow to avoid unexpected job failures." + echo "::warning::fail-on is set with fix: true - job failure is suppressed so the fix step can run. Add a second scan step without fix: true if you want to gate on remaining findings after fixing." fi args=("${PROJECT_PATH}") @@ -301,7 +301,10 @@ runs: fi if [[ "${INPUT_FIX}" == "true" ]]; then - cve-lite "${args[@]}" || true + cve-lite "${args[@]}" || EXIT_CODE=$? + if [[ "${EXIT_CODE:-0}" -gt 1 ]]; then + exit "${EXIT_CODE:-0}" + fi else cve-lite "${args[@]}" fi