diff --git a/action.yml b/action.yml index d2a5116f..86f999c5 100644 --- a/action.yml +++ b/action.yml @@ -21,6 +21,11 @@ inputs: fail-on: description: 'Minimum severity level to fail the action (critical, high, medium, low, info)' required: false + default: 'high' + comment-on: + description: 'Minimum severity level to show annotations in code review (critical, high, medium, low, info)' + required: false + default: 'medium' max-findings: description: 'Maximum number of findings to report (0 for unlimited)' required: false @@ -75,6 +80,7 @@ runs: INPUT_GITHUB_TOKEN: ${{ inputs.github-token }} INPUT_CONFIG_PATH: ${{ inputs.config-path }} INPUT_FAIL_ON: ${{ inputs.fail-on }} + INPUT_COMMENT_ON: ${{ inputs.comment-on }} INPUT_MAX_FINDINGS: ${{ inputs.max-findings }} INPUT_PARALLEL: ${{ inputs.parallel }} CLAUDE_CODE_PATH: ${{ env.HOME }}/.local/bin/claude diff --git a/src/action/main.ts b/src/action/main.ts index a1de681d..731ff8e5 100644 --- a/src/action/main.ts +++ b/src/action/main.ts @@ -29,6 +29,7 @@ interface ActionInputs { githubToken: string; configPath: string; failOn?: 'critical' | 'high' | 'medium' | 'low' | 'info'; + commentOn?: 'critical' | 'high' | 'medium' | 'low' | 'info'; maxFindings: number; /** Max concurrent trigger executions */ parallel: number; @@ -59,10 +60,16 @@ function getInputs(): ActionInputs { ); } + const validSeverities = ['critical', 'high', 'medium', 'low', 'info'] as const; + const failOnInput = getInput('fail-on'); - const validFailOn = ['critical', 'high', 'medium', 'low', 'info'] as const; - const failOn = validFailOn.includes(failOnInput as typeof validFailOn[number]) - ? (failOnInput as typeof validFailOn[number]) + const failOn = validSeverities.includes(failOnInput as typeof validSeverities[number]) + ? (failOnInput as typeof validSeverities[number]) + : undefined; + + const commentOnInput = getInput('comment-on'); + const commentOn = validSeverities.includes(commentOnInput as typeof validSeverities[number]) + ? (commentOnInput as typeof validSeverities[number]) : undefined; return { @@ -70,6 +77,7 @@ function getInputs(): ActionInputs { githubToken: getInput('github-token') || process.env['GITHUB_TOKEN'] || '', configPath: getInput('config-path') || 'warden.toml', failOn, + commentOn, maxFindings: parseInt(getInput('max-findings') || '50', 10), parallel: parseInt(getInput('parallel') || String(DEFAULT_CONCURRENCY), 10), }; @@ -501,7 +509,7 @@ async function run(): Promise { } const failOn = trigger.output.failOn ?? inputs.failOn; - const commentOn = trigger.output.commentOn; + const commentOn = trigger.output.commentOn ?? inputs.commentOn; try { const skill = await resolveSkillAsync(trigger.skill, repoPath, config.skills); diff --git a/warden.toml b/warden.toml index 6263acee..9cb30bc6 100644 --- a/warden.toml +++ b/warden.toml @@ -1,5 +1,11 @@ version = 1 +[defaults.output] +# Fail check on high+ severity findings (critical, high) +failOn = "high" +# Show annotations for medium+ severity findings +commentOn = "medium" + [[triggers]] name = "security-review" event = "pull_request"