fix(security): clean scans no longer red the job (fp pipeline pipefail + -e abort) #4

Merged

vr6syncro merged 1 commit from fix/findings-zero-pipefail-abort into main

2026-06-01 20:43:47 +02:00

vr6syncro commented

2026-06-01 20:43:34 +02:00

Owner

Regression I introduced in the de-spam fix. Forgejo Actions runs steps with default bash -eo pipefail. On a clean scan (empty security_summary.txt) the fingerprint pipeline's two greps both exit 1 → pipefail → -e aborted the no-continue-on-error Build security report step → job red. Repos with findings matched (exit 0) and stayed green — exactly why NestAgent/NestMsg (clean) were red while ZeitOMeter/NestFather (findings) were green.

Fix: || true guards on the fp pipeline + sha256sum. Locally simulated under bash -eo pipefail: before → abort (exit 1); after → completes (FP = empty-file hash). Surgical, scanners untouched.

Diagnosed via the new if: failure() self-report (issue captured SECURITY_FINDINGS=0).

🤖 Generated with Claude Code

**Regression I introduced in the de-spam fix.** Forgejo Actions runs steps with default `bash -eo pipefail`. On a **clean scan** (empty `security_summary.txt`) the fingerprint pipeline's two greps both exit 1 → `pipefail` → `-e` aborted the no-`continue-on-error` `Build security report` step → **job red**. Repos *with* findings matched (exit 0) and stayed green — exactly why NestAgent/NestMsg (clean) were red while ZeitOMeter/NestFather (findings) were green. Fix: `|| true` guards on the fp pipeline + `sha256sum`. Locally simulated under `bash -eo pipefail`: before → abort (exit 1); after → completes (FP = empty-file hash). Surgical, scanners untouched. Diagnosed via the new `if: failure()` self-report (issue captured `SECURITY_FINDINGS=0`). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

vr6syncro added 1 commit

2026-06-01 20:43:34 +02:00

fix(security): clean scans no longer red the job (fp pipeline pipefail+ -e abort)

security-hardened.yml / fix(security): clean scans no longer red the job (fp pipeline pipefail+ -e abort) (push) Failing after 0s

Details

security.yml / fix(security): clean scans no longer red the job (fp pipeline pipefail+ -e abort) (push) Failing after 0s

Details

security-hardened.yml / fix(security): clean scans no longer red the job (fp pipeline pipefail+ -e abort) (pull_request) Failing after 0s

Details

security.yml / fix(security): clean scans no longer red the job (fp pipeline pipefail+ -e abort) (pull_request) Failing after 0s

Details

security-hardened.yml / fix(security): clean scans no longer red the job (fp pipeline pipefail + -e abort) (pull_request) Failing after 0s

Details

security.yml / fix(security): clean scans no longer red the job (fp pipeline pipefail + -e abort) (pull_request) Failing after 0s

Details

86d641111c

Forgejo Actions runs steps with default 'bash -eo pipefail'. The notify-fp
pipeline added in the de-spam change did:
  { ...; grep ... | grep -vE '^trivy=' } | sort -u > fp_lines
On a CLEAN scan (empty security_summary.txt) both greps exit 1 -> pipefail ->
-e aborted the NO-continue-on-error 'Build security report' step -> job red.
Repos WITH findings matched (exit 0) and stayed green, hence NestAgent/NestMsg
(clean) red while ZeitOMeter/NestFather (findings) green. Add '|| true' guards so
the fp computation can't abort the step. Locally simulated under bash -eo pipefail.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

vr6syncro merged commit 4586d50f31 into main

2026-06-01 20:43:47 +02:00

vr6syncro deleted branch fix/findings-zero-pipefail-abort

2026-06-01 20:43:47 +02:00

vr6syncro referenced this pull request

2026-06-04 05:39:48 +02:00

Deep Analysis 2026-06-04 — ci-workflows #5