zizmor/.github/workflows/test-output.yml

name: Test output formats

on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
      - labeled

permissions: {}

jobs:
  test-sarif-presentation:
    name: Test SARIF presentation
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'test-sarif-presentation')
    permissions:
      pull-requests: write # for 'Leave comment' step
    steps:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Run zizmor
        run: |
          cargo run -- --format sarif . > results.sarif

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
        with:
          sarif_file: results.sarif
          category: zizmor-test-sarif-presentation

      - name: Leave comment
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          URL: "https://github.com/zizmorcore/zizmor/security/code-scanning?query=pr%3A${{ github.event.pull_request.number }}+is%3Aopen+sort%3Acreated-desc"
        run: |
          gh pr comment "${PR_NUMBER}" \
            --body ":robot: SARIF results: ${URL}"

  test-github-presentation:
    name: Test GitHub annotations presentation
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'test-github-presentation')
    permissions: {}

    steps:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Run zizmor
        run: |
          # Normally we'd want a workflow to fail if the audit fails,
          # but we're only testing presentation here.
          cargo run \
            -- \
            --no-exit-codes \
            --format github \
            crates/zizmor/tests/integration/test-data/several-vulnerabilities.yml