-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't retrieve outputs from SecHub GitHub Action #3481
Comments
Thank you for bringing this to our attention! |
@adobryn We had a bug in our Github Action, the scan was started in a wrong directory. The issue was fixed and a new version of the Action has been released. Please rerun your scans and check if everything is now working for you. |
Apparently the fix of the Github Action did not help with this bug |
Could reproduce the behavior.
Bottom line: The latest action produces the problem. |
Maybe the thread here is helpful: actions/toolkit#1218 |
AnalyzeTest workflowCreated a SecHub github workflow like this: name: Test (de-jcup) - SecHub code scan
on:
# enable manual triggering of workflow
workflow_dispatch:
jobs:
sechub-scan:
runs-on: [testrunner-amd64-linux]
steps:
- name: Check out this repo
id: repo_checkout
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6
with:
node-version: 22
- name: Show NPM information about core actions
id: show_npm_info_actions_core
run: npm info @actions/core
- name: SecHub scan
id: sechub_scan
uses: mercedes-benz/sechub/github-actions/scan@master
with:
project-name: ${{ vars.SECHUB_PROJECT }}
url: https://mysechub-server.example.org
user: ${{ secrets.SECHUB_USERID }}
api-token: ${{ secrets.SECHUB_APITOKEN }}
fail-job-with-findings: false
- name: Print outputs of action
id: print_outputs
if: always()
run: |
# echo "scan-trafficlight: '${{ steps.sechub_scan.outputs.scan-trafficlight }}'"
# echo "scan-findings-count '${{ steps.sechub_scan.outputs.scan-findings-count }}'"
# echo "scan-findings-high '${{ steps.sechub_scan.outputs.scan-findings-high }}'"
# echo "scan-findings-medium '${{ steps.sechub_scan.outputs.scan-findings-medium }}'"
# echo "scan-findings-low '${{ steps.sechub_scan.outputs.scan-findings-low }}'"
# echo "readable-summary '${{ steps.sechub_scan.outputs.scan-readable-summary }}'"
echo "greeting=Hello World" >> "$GITHUB_OUTPUT" # Test Output
echo "additional=Additoinal info" >> "$GITHUB_OUTPUT" # Test Output 2
- name: Print greeting output by step access
id: test_output_access_to_print_outputs_by_other_step
if: always()
run: |
# echo "greeting: '${{ steps.print_outputs.outputs.greeting }}'"
# echo "greeting: '${{ steps.print_outputs.outputs.additional }}'"
- name: Show all github output files
id: output_file
if: always()
run: |
echo "GITHUB_OUTPUT=$GITHUB_OUTPUT"
DIRECTORY=$(dirname -- "$GITHUB_OUTPUT")
# Check if the directory exists
if [ ! -d "$DIRECTORY" ]; then
echo "Directory does not exist."
exit 1
fi
# Iterate through each file in the directory
for FILE in "$DIRECTORY"/*; do
# Check if the file name starts with "set_output"
if [[ $(basename "$FILE") == set_output* ]]; then
echo "----------------------------------------------------------------------------------------------------"
echo "Contents of $FILE:"
echo "----------------------------------------------------------------------------------------------------"
cat "$FILE"
echo # Add a newline for better readability
fi
done
- name: Print Context Information
if: always()
env:
CONTEXT: ${{ toJson(steps) }}
run: echo "$CONTEXT"
ResultsCore action version
"Funny" remark: core 1.11.1 cannot be found as a release tag at GitHub toolkit tags I was forced to download the tarball and inspect the output... The found javascript content /**
* Sets the value of an output.
*
* @param name name of the output to set
* @param value value to store. Non-string values will be converted to a string via JSON.stringify
*/
// eslint-disable-next-line @typescript-eslint/no-explicit-any
function setOutput(name, value) {
const filePath = process.env['GITHUB_OUTPUT'] || '';
if (filePath) {
return (0, file_command_1.issueFileCommand)('OUTPUT', (0, file_command_1.prepareKeyValueMessage)(name, value));
}
process.stdout.write(os.EOL);
(0, command_1.issueCommand)('set-output', { name }, (0, utils_1.toCommandValue)(value));
}
exports.setOutput = setOutput; was similar to https://github.com/actions/toolkit/blob/main/packages/core/src/core.ts#L192 : export function setOutput(name: string, value: any): void {
const filePath = process.env['GITHUB_OUTPUT'] || ''
if (filePath) {
return issueFileCommand('OUTPUT', prepareKeyValueMessage(name, value))
}
process.stdout.write(os.EOL)
issueCommand('set-output', {name}, toCommandValue(value))
} Content of set_report* files on runnerThe green area is from The red marked area is from SecHub scan action which uses the Outputs of step access and context printAs shown in next figure, the context output (green) contains the parts which were Final resultIt looks like using the As a solution we try to create a wrapper here which does no longer use this method, but instead writes to the file directly. |
- introduced output helper - storing now outputs directly to file by own helper method instead of using core.setOutput(..)
Writing directly to the file with correct content did NOT solve the problem.
Important here IMO: "without the intention of the workflow author" I tried out to directly call issueCommand('set-output', {name}, toCommandValue(value)) by the wrapper method, but inside the logs I found also the deprecation warning. And the output of the context did still not contain the wanted outputs from sechub scan action. |
'set-output' command is deprecated. const filePath = process.env[`GITHUB_OUTPUT`];
if (!filePath) {
throw new Error(`Empty environment variable GITHUB_OUTPUT`);
}
if (!fs.existsSync(filePath)) {
throw new Error(`No access to file ${filePath}`);
}
fs.appendFileSync(filePath, `${field}=${valuestring}${os.EOL}`); (See branch feature-3481-make-output-work-again) |
IMO this is a bug in GitHub and I created actions/toolkit#1906 Because we do not know when/if this will be fixed, we decided to switch to environment variables instead! For example: |
- directly writing to the file did not work - directly using set-output command did not work - using SECHUB_OUTPUT* environment values as alternative - changed documentation - wrote tests
…b-core-output-problem Fix output problem #3481
Remark: The changes (environment variables instead of outputs) will be available when the GitHub action has been released. |
Situation
I have a workflow that uses SecHub scan action outputs and sends a message to a Teams channel. It worked fine, but since last Friday, all output values have been null without any code changes from my side:
Further investigation
Debugging showed that the SecHub action creates the outputs:
but they can't be retrieved in the next action :
I also tried waiting 20 seconds to ensure the action was completed and used
if: always()
, but it didn't help.Do you have any suggestions on how to resolve this? Thank you for your help!
upd: with previous version of client 1.7.0 everything works as expected
The text was updated successfully, but these errors were encountered: