Skip to content

fix: use annotation instead of pr comments#53

Merged
lhoupert merged 4 commits intomainfrom
fix--use-annotation-instead-of-pr-comments
Mar 30, 2026
Merged

fix: use annotation instead of pr comments#53
lhoupert merged 4 commits intomainfrom
fix--use-annotation-instead-of-pr-comments

Conversation

@lhoupert
Copy link
Copy Markdown
Collaborator

@lhoupert lhoupert commented Mar 30, 2026

Summary

Cuts down PR notification fatigue by making GitHub Actions annotations the default way to show Bandit and pip-audit results (inline on “Files changed”, no comment emails). PR comments are opt-in via a new comment_on input.

Behavior

  • Annotations — Always emitted: Bandit uses file + line; pip-audit uses summary-level warnings. No email notifications from this path.
  • Step summary — Unchanged: full markdown report in the workflow Summary tab.
  • comment_on (replaces post_pr_comment) — Default never. Use blocking to comment only when the job would fail, or always for every run (previous “always comment” style).

Breaking change

  • Removed post_pr_comment. Migrate to:
    • comment_on: always if you still want a comment on every run, or
    • comment_on: blocking if you only want a comment when there are blocking findings.

Other

  • permissions: Default flows no longer need pull-requests: write unless comment_on is blocking or always.
  • README updated for the new defaults, inputs table, and permissions.
  • New module: src/python_security_auditing/annotations.py; tests extended accordingly.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

✅ All test workflows behaved as expected

14 passed, 0 failed

Test Name Expected Actual Bandit pip-audit Result
01 requirements · flat · clean success success
02 requirements · src/ · bandit HIGH failure failure B105, B404, B602
03 requirements · src/+scripts/ · bandit HIGH + pip-audit failure failure B105, B404, B602 cryptography, idna, requests, urllib3
04 uv · flat · clean success success
05 uv · src/ · pip-audit vuln failure failure idna, requests, urllib3
06 uv · src/+scripts/ · bandit MEDIUM failure failure B324, B506
07 poetry · flat · clean success success
08 poetry · src/ · bandit MEDIUM + pip-audit failure failure B105, B324 cryptography, idna, requests, urllib3
09 pipenv · flat · clean success success
10 pipenv · src/+scripts/ · bandit HIGH failure failure B404, B602
11 requirements · flat · clean (root working dir) success success
12 uv · flat · bandit-only (no pip-audit) failure failure B404, B602 disabled
13 requirements · flat · unfixable vulns (should pass) success success pygments
14 uv · flat · low threshold (B101 assert) failure failure B101 disabled

@developmentseed developmentseed deleted a comment from github-actions bot Mar 30, 2026
@lhoupert lhoupert merged commit 9c59cb4 into main Mar 30, 2026
21 checks passed
@lhoupert lhoupert deleted the fix--use-annotation-instead-of-pr-comments branch March 30, 2026 14:48
@github-actions github-actions bot mentioned this pull request Mar 30, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lhoupert