diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 8640284..261a198 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -88,3 +88,21 @@ jobs: PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}" run: | grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}") + selftest-pipaudit-fail: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: ./ + id: pip-audit + with: + # we do not care about pip-audit's actual output in this test, we just need a file to pass + # in so as to not exercise `pip list` mode. + inputs: ./test/empty.txt + # pass in a fake flag here to reliably trigger the failure we're looking for. + internal-be-careful-extra-flags: --not-a-real-pip-audit-flag + internal-be-careful-allow-failure: true + - name: assert expected output + env: + PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}" + run: | + grep 'pip-audit did not return any output' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}") diff --git a/README.md b/README.md index c7f790d..156c1e0 100644 --- a/README.md +++ b/README.md @@ -300,6 +300,20 @@ Example internal-be-careful-debug: true ``` +#### `internal-be-careful-extra-flags` +**Default**: `""` + +The `internal-be-careful-extra-flags` setting passes the specified flags +to `pip-audit`. + +Example: + +```yaml +- uses: pypa/gh-action-pip-audit@v1.0.5 + with: + internal-be-careful-extra-flags: --not-a-real-pip-audit-flag +``` + ## Troubleshooting diff --git a/action.py b/action.py index 75d8d7f..21145b5 100755 --- a/action.py +++ b/action.py @@ -18,7 +18,7 @@ _GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY")).open("a") _GITHUB_OUTPUT = Path(os.getenv("GITHUB_OUTPUT")).open("a") _RENDER_SUMMARY = os.getenv("GHA_PIP_AUDIT_SUMMARY", "true") == "true" -_DEBUG = os.getenv("GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" +_DEBUG = str(os.getenv("GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG", "false")) != "false" def _template(name): @@ -64,7 +64,7 @@ def _fatal_help(msg): "--desc", # Write the output to this logfile, which we'll turn into the step summary (if configured). "--output=/tmp/pip-audit-output.txt", -] +] + os.getenv("GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS").split() if _DEBUG: pip_audit_args.append("--verbose") @@ -135,15 +135,19 @@ def _fatal_help(msg): else: _summary("❌ pip-audit found one or more problems") - with open("/tmp/pip-audit-output.txt", "r") as io: - output = io.read() + output = "⚠️ pip-audit did not return any output" + try: + with open("/tmp/pip-audit-output.txt", "r") as io: + output = io.read() + except OSError as ex: + _log(ex) - # This is really nasty: our output contains multiple lines, - # so we can't naively stuff it into an output. - print(f"output={b64encode(output.encode()).decode()}", file=_GITHUB_OUTPUT) + # This is really nasty: our output contains multiple lines, + # so we can't naively stuff it into an output. + print(f"output={b64encode(output.encode()).decode()}", file=_GITHUB_OUTPUT) - _log(output) - _summary(output) + _log(output) + _summary(output) _log(status.stdout) diff --git a/action.yml b/action.yml index 3574e61..c645057 100644 --- a/action.yml +++ b/action.yml @@ -50,6 +50,10 @@ inputs: description: "run with debug logs (default false)" required: false default: false + internal-be-careful-extra-flags: + description: "extra flags to be passed in to pip-audit" + required: false + default: "" outputs: internal-be-careful-output: description: "the column-formatted output from pip-audit, wrapped as base64" @@ -84,4 +88,5 @@ runs: GHA_PIP_AUDIT_IGNORE_VULNS: "${{ inputs.ignore-vulns }}" GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: "${{ inputs.internal-be-careful-allow-failure }}" GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}" + GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS: "${{ inputs.internal-be-careful-extra-flags }}" shell: bash diff --git a/test/empty.txt b/test/empty.txt new file mode 100644 index 0000000..e69de29