fix: pr-security-reporter silent fallback on github-script failure masks real errors #150
Description
Affected Workflow
Security (go-security, pr-security-scan)
Workflow Version / Ref
@develop (PR #144)
Bug Description
In the pr-security-reporter composite, the output from actions/github-script is parsed by a subsequent step using jq. If the script step fails or returns empty/malformed JSON, jq falls back to false silently via the // false default operator.
A real failure in the github-script step (API error, rate limit, malformed response) gets swallowed — the reporter silently reports "no issues found" instead of surfacing the error.
Steps to Reproduce
- Use
pr-security-reportercomposite in a workflow - Trigger a scenario where
actions/github-scriptfails (e.g. API rate limit, network error) - Observe that the subsequent
jqstep defaults tofalseand continues without error - No warning or failure is surfaced — clean result reported incorrectly
Expected Behavior
The step should validate that $RESULT is non-empty and valid JSON before parsing. If either check fails, emit a warning annotation or fail the step so real errors are visible.
Relevant Logs / Error Output
N/A — the bug is that no error is shown when it should be.
Caller Workflow Configuration
N/A — issue is internal to the composite.
Checklist
- I searched existing issues and this is not a duplicate.
- I am using a supported version/ref of the workflow.
- I have included relevant logs and configuration above.
Additional Context
Found during review of PR #144 (pr-security-scan refact). Suggested fix: add explicit validation before the jq parse — check non-empty + valid JSON (echo "$RESULT" | jq empty), fail or warn if invalid.