Check that output file exists before opening (#33)

* action.py: check that output exists before opening

* action: log exception, extra flags setting

Signed-off-by: Andrew Pan <[email protected]>

* workflows/selftest: regression test for no output

Signed-off-by: Andrew Pan <[email protected]>

* issue/32: doc `internal-be-careful-extra-flags`

---------

Signed-off-by: Andrew Pan <[email protected]>

.github/workflows/selftest.yml

@@ -88,3 +88,21 @@ jobs:
           PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
         run: |
           grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
+  selftest-pipaudit-fail:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./
+        id: pip-audit
+        with:
+          # we do not care about pip-audit's actual output in this test, we just need a file to pass
+          # in so as to not exercise `pip list` mode.
+          inputs: ./test/empty.txt
+          # pass in a fake flag here to reliably trigger the failure we're looking for.
+          internal-be-careful-extra-flags: --not-a-real-pip-audit-flag
+          internal-be-careful-allow-failure: true
+      - name: assert expected output
+        env:
+          PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
+        run: |
+          grep 'pip-audit did not return any output' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")

README.md

@@ -300,6 +300,20 @@ Example
       internal-be-careful-debug: true
   ```
 
+#### `internal-be-careful-extra-flags`
+**Default**: `""`
+
+The `internal-be-careful-extra-flags` setting passes the specified flags
+to `pip-audit`.
+
+Example:
+
+```yaml
+- uses: pypa/[email protected]
+  with:
+    internal-be-careful-extra-flags: --not-a-real-pip-audit-flag
+```
+
 </details>
 
 ## Troubleshooting

action.py

@@ -18,7 +18,7 @@
 _GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY")).open("a")
 _GITHUB_OUTPUT = Path(os.getenv("GITHUB_OUTPUT")).open("a")
 _RENDER_SUMMARY = os.getenv("GHA_PIP_AUDIT_SUMMARY", "true") == "true"
-_DEBUG = os.getenv("GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false"
+_DEBUG = str(os.getenv("GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG", "false")) != "false"
 
 
 def _template(name):
@@ -64,7 +64,7 @@ def _fatal_help(msg):
     "--desc",
     # Write the output to this logfile, which we'll turn into the step summary (if configured).
     "--output=/tmp/pip-audit-output.txt",
-]
+] + os.getenv("GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS").split()
 
 if _DEBUG:
     pip_audit_args.append("--verbose")
@@ -135,15 +135,19 @@ def _fatal_help(msg):
 else:
     _summary("❌ pip-audit found one or more problems")
 
-    with open("/tmp/pip-audit-output.txt", "r") as io:
-        output = io.read()
+    output = "⚠️ pip-audit did not return any output"
+    try:
+        with open("/tmp/pip-audit-output.txt", "r") as io:
+            output = io.read()
+    except OSError as ex:
+        _log(ex)
 
-        # This is really nasty: our output contains multiple lines,
-        # so we can't naively stuff it into an output.
-        print(f"output={b64encode(output.encode()).decode()}", file=_GITHUB_OUTPUT)
+    # This is really nasty: our output contains multiple lines,
+    # so we can't naively stuff it into an output.
+    print(f"output={b64encode(output.encode()).decode()}", file=_GITHUB_OUTPUT)
 
-        _log(output)
-        _summary(output)
+    _log(output)
+    _summary(output)
 
 
 _log(status.stdout)

action.yml

@@ -50,6 +50,10 @@ inputs:
     description: "run with debug logs (default false)"
     required: false
     default: false
+  internal-be-careful-extra-flags:
+    description: "extra flags to be passed in to pip-audit"
+    required: false
+    default: ""
 outputs:
   internal-be-careful-output:
     description: "the column-formatted output from pip-audit, wrapped as base64"
@@ -84,4 +88,5 @@ runs:
         GHA_PIP_AUDIT_IGNORE_VULNS: "${{ inputs.ignore-vulns }}"
         GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: "${{ inputs.internal-be-careful-allow-failure }}"
         GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
+        GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS: "${{ inputs.internal-be-careful-extra-flags }}"
       shell: bash