From 8c2d6bdb4ff81c3a35fd94f18aeb45da329e1de2 Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Wed, 1 Apr 2026 14:53:26 -0700 Subject: [PATCH 1/6] #38 add job_run_id Signed-off-by: Matthew DeVenny --- action.yml | 3 +++ dist/main/index.js | 2 ++ dist/post/index.js | 16 +++++++++++++++- src/start.ts | 2 ++ src/summary.ts | 13 ++++++++++++- 5 files changed, 34 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 1b9ab39..ed6be26 100644 --- a/action.yml +++ b/action.yml @@ -69,6 +69,9 @@ inputs: offline: description: 'Skip all CodeCargo API communication (audit upload and policy fetch)' default: 'false' + job-id: + description: 'The check run ID of the current job (auto-detected)' + default: ${{ job.check_run_id }} outputs: supported: diff --git a/dist/main/index.js b/dist/main/index.js index d9c0c66..6fc40b3 100644 --- a/dist/main/index.js +++ b/dist/main/index.js @@ -25886,6 +25886,8 @@ async function start() { if (githubServiceHosts) info(` GitHub service hosts: ${githubServiceHosts}`); if (azureInfraHosts) info(` Azure infra hosts: ${azureInfraHosts}`); if (configFile) info(` Config file: ${configFile}`); + const jobId = getInput("job-id"); + if (jobId) info(` Job ID (check_run_id): ${jobId}`); info(` Sudo lockdown: ${sudoLockdown}`); info(` DNS upstream: ${dnsUpstream}`); try { diff --git a/dist/post/index.js b/dist/post/index.js index d7820c1..d25065d 100644 --- a/dist/post/index.js +++ b/dist/post/index.js @@ -25407,6 +25407,20 @@ async function generateSummary() { summaryArgs.push("--api-url", apiUrl); summaryArgs.push("--job-key", context2.job); summaryArgs.push("--job-name", currentJobName); + const jobId = getInput("job-id"); + if (jobId) { + let helpOutput = ""; + await exec("cargowall", ["summary", "--help"], { + ignoreReturnCode: true, + silent: true, + listeners: { stdout: (data) => { + helpOutput += data.toString(); + } } + }); + if (helpOutput.includes("job-run-id")) { + summaryArgs.push("--job-run-id", jobId); + } + } let effectiveMode = getInput("mode") || "enforce"; try { const modeFromFile = (await import_fs6.promises.readFile("/tmp/cargowall-mode", "utf8")).trim(); @@ -25425,7 +25439,7 @@ async function generateSummary() { warning( `Failed to get OIDC token for API push. Ensure the workflow has "permissions: id-token: write". Error: ${error}` ); - for (const flag of ["--api-url", "--job-key", "--job-name", "--mode", "--default-action", "--job-status"]) { + for (const flag of ["--api-url", "--job-key", "--job-name", "--job-run-id", "--mode", "--default-action", "--job-status"]) { const idx = summaryArgs.findIndex((a) => a === flag); if (idx !== -1) summaryArgs.splice(idx, 2); } diff --git a/src/start.ts b/src/start.ts index 73588e2..2e9be73 100644 --- a/src/start.ts +++ b/src/start.ts @@ -170,6 +170,8 @@ export async function start(): Promise<{ supported: boolean; pid: number | null if (githubServiceHosts) core.info(` GitHub service hosts: ${githubServiceHosts}`) if (azureInfraHosts) core.info(` Azure infra hosts: ${azureInfraHosts}`) if (configFile) core.info(` Config file: ${configFile}`) + const jobId = core.getInput('job-id') + if (jobId) core.info(` Job ID (check_run_id): ${jobId}`) core.info(` Sudo lockdown: ${sudoLockdown}`) core.info(` DNS upstream: ${dnsUpstream}`) diff --git a/src/summary.ts b/src/summary.ts index 47baf72..c9ca8d1 100644 --- a/src/summary.ts +++ b/src/summary.ts @@ -128,6 +128,17 @@ export async function generateSummary(): Promise { summaryArgs.push('--api-url', apiUrl) summaryArgs.push('--job-key', github.context.job) summaryArgs.push('--job-name', currentJobName) + const jobId = core.getInput('job-id') + if (jobId) { + let helpOutput = '' + await exec.exec('cargowall', ['summary', '--help'], { + ignoreReturnCode: true, silent: true, + listeners: { stdout: (data: Buffer) => { helpOutput += data.toString() } } + }) + if (helpOutput.includes('job-run-id')) { + summaryArgs.push('--job-run-id', jobId) + } + } // Prefer the effective mode written by the Go binary (which may have // been overridden by the SaaS policy) over the static Action input. @@ -156,7 +167,7 @@ export async function generateSummary(): Promise { `Failed to get OIDC token for API push. Ensure the workflow has "permissions: id-token: write". Error: ${error}` ) // Remove API-related args so the binary doesn't attempt an unauthenticated push - for (const flag of ['--api-url', '--job-key', '--job-name', '--mode', '--default-action', '--job-status']) { + for (const flag of ['--api-url', '--job-key', '--job-name', '--job-run-id', '--mode', '--default-action', '--job-status']) { const idx = summaryArgs.findIndex(a => a === flag) if (idx !== -1) summaryArgs.splice(idx, 2) // remove flag and its value } From 68a31e29b8d5b05a09df75cee9001e28ae327ef9 Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Wed, 1 Apr 2026 15:15:34 -0700 Subject: [PATCH 2/6] copilot comments Signed-off-by: Matthew DeVenny --- action.yml | 2 +- dist/main/index.js | 2 +- src/start.ts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index ed6be26..fc3e632 100644 --- a/action.yml +++ b/action.yml @@ -70,7 +70,7 @@ inputs: description: 'Skip all CodeCargo API communication (audit upload and policy fetch)' default: 'false' job-id: - description: 'The check run ID of the current job (auto-detected)' + description: 'The check run ID of the current job (populated from the workflow context by default; override if needed)' default: ${{ job.check_run_id }} outputs: diff --git a/dist/main/index.js b/dist/main/index.js index 6fc40b3..c44c6d7 100644 --- a/dist/main/index.js +++ b/dist/main/index.js @@ -25887,7 +25887,7 @@ async function start() { if (azureInfraHosts) info(` Azure infra hosts: ${azureInfraHosts}`); if (configFile) info(` Config file: ${configFile}`); const jobId = getInput("job-id"); - if (jobId) info(` Job ID (check_run_id): ${jobId}`); + if (jobId) info(` Job run ID: ${jobId}`); info(` Sudo lockdown: ${sudoLockdown}`); info(` DNS upstream: ${dnsUpstream}`); try { diff --git a/src/start.ts b/src/start.ts index 2e9be73..677857c 100644 --- a/src/start.ts +++ b/src/start.ts @@ -171,7 +171,7 @@ export async function start(): Promise<{ supported: boolean; pid: number | null if (azureInfraHosts) core.info(` Azure infra hosts: ${azureInfraHosts}`) if (configFile) core.info(` Config file: ${configFile}`) const jobId = core.getInput('job-id') - if (jobId) core.info(` Job ID (check_run_id): ${jobId}`) + if (jobId) core.info(` Job run ID: ${jobId}`) core.info(` Sudo lockdown: ${sudoLockdown}`) core.info(` DNS upstream: ${dnsUpstream}`) From eeaf824c2356f3f8b66fac86ae5585d68c13ae08 Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Fri, 3 Apr 2026 10:01:12 -0700 Subject: [PATCH 3/6] test Signed-off-by: Matthew DeVenny --- dist/main/index.js | 2 +- src/setup.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dist/main/index.js b/dist/main/index.js index c44c6d7..072a9fb 100644 --- a/dist/main/index.js +++ b/dist/main/index.js @@ -21513,7 +21513,7 @@ var os6 = __toESM(require("os")); var path4 = __toESM(require("path")); var INSTALL_DIR = "/usr/local/bin"; var BINARY_NAME = "cargowall"; -var CARGOWALL_VERSION = "v1.0.0"; +var CARGOWALL_VERSION = "v1.0.1-rc.0"; async function setup() { const failOnUnsupported = getInput("fail-on-unsupported") === "true"; const binaryPath = getInput("binary-path"); diff --git a/src/setup.ts b/src/setup.ts index 077ddf5..6912a67 100644 --- a/src/setup.ts +++ b/src/setup.ts @@ -7,7 +7,7 @@ import * as path from 'path' const INSTALL_DIR = '/usr/local/bin' const BINARY_NAME = 'cargowall' -const CARGOWALL_VERSION = 'v1.0.0' +const CARGOWALL_VERSION = 'v1.0.1-rc.0' export async function setup(): Promise { const failOnUnsupported = core.getInput('fail-on-unsupported') === 'true' From 48ad56553b8bb77a2941a6346896f9be08a31bd3 Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Fri, 3 Apr 2026 10:03:17 -0700 Subject: [PATCH 4/6] test Signed-off-by: Matthew DeVenny --- .github/workflows/test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index df4a681..a50b48c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -112,13 +112,12 @@ jobs: - name: Setup CargoWall with strict hosts uses: ./ with: + api-url: https://app.dev.codecargo.dev allowed-hosts: | app.codecargo.com github.com api.github.com - - - name: Test allowed DNS query run: | nslookup github.com 127.0.0.1 || true @@ -153,6 +152,7 @@ jobs: - name: Setup CargoWall with CIDR rules uses: ./ with: + api-url: https://app.dev.codecargo.dev allowed-cidrs: | "140.82.112.0/20" # GitHub's IP range allowed-hosts: | @@ -178,6 +178,7 @@ jobs: id: cargowall uses: ./ with: + api-url: https://app.dev.codecargo.dev allowed-hosts: | app.codecargo.com github.com @@ -200,6 +201,7 @@ jobs: - name: Setup CargoWall uses: ./ with: + api-url: https://app.dev.codecargo.dev allowed-hosts: | github.com app.codecargo.com @@ -238,6 +240,7 @@ jobs: - name: Setup CargoWall with sudo lockdown uses: ./ with: + api-url: https://app.dev.codecargo.dev allowed-hosts: | app.codecargo.com github.com From 1d53d837123aa98f10810d1b9dd69577355ee4e0 Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Fri, 3 Apr 2026 10:07:28 -0700 Subject: [PATCH 5/6] change back to prod Signed-off-by: Matthew DeVenny --- .github/workflows/test.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a50b48c..df4a681 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -112,12 +112,13 @@ jobs: - name: Setup CargoWall with strict hosts uses: ./ with: - api-url: https://app.dev.codecargo.dev allowed-hosts: | app.codecargo.com github.com api.github.com + + - name: Test allowed DNS query run: | nslookup github.com 127.0.0.1 || true @@ -152,7 +153,6 @@ jobs: - name: Setup CargoWall with CIDR rules uses: ./ with: - api-url: https://app.dev.codecargo.dev allowed-cidrs: | "140.82.112.0/20" # GitHub's IP range allowed-hosts: | @@ -178,7 +178,6 @@ jobs: id: cargowall uses: ./ with: - api-url: https://app.dev.codecargo.dev allowed-hosts: | app.codecargo.com github.com @@ -201,7 +200,6 @@ jobs: - name: Setup CargoWall uses: ./ with: - api-url: https://app.dev.codecargo.dev allowed-hosts: | github.com app.codecargo.com @@ -240,7 +238,6 @@ jobs: - name: Setup CargoWall with sudo lockdown uses: ./ with: - api-url: https://app.dev.codecargo.dev allowed-hosts: | app.codecargo.com github.com From c90fbedffd1d79ed95a0fb475d9c6fa4adf6c729 Mon Sep 17 00:00:00 2001 From: Matthew DeVenny Date: Fri, 3 Apr 2026 10:46:55 -0700 Subject: [PATCH 6/6] Use v1.0.1 Signed-off-by: Matthew DeVenny --- dist/main/index.js | 2 +- dist/post/index.js | 12 +----------- src/setup.ts | 2 +- src/summary.ts | 9 +-------- 4 files changed, 4 insertions(+), 21 deletions(-) diff --git a/dist/main/index.js b/dist/main/index.js index 072a9fb..670f22f 100644 --- a/dist/main/index.js +++ b/dist/main/index.js @@ -21513,7 +21513,7 @@ var os6 = __toESM(require("os")); var path4 = __toESM(require("path")); var INSTALL_DIR = "/usr/local/bin"; var BINARY_NAME = "cargowall"; -var CARGOWALL_VERSION = "v1.0.1-rc.0"; +var CARGOWALL_VERSION = "v1.0.1"; async function setup() { const failOnUnsupported = getInput("fail-on-unsupported") === "true"; const binaryPath = getInput("binary-path"); diff --git a/dist/post/index.js b/dist/post/index.js index d25065d..cc793ff 100644 --- a/dist/post/index.js +++ b/dist/post/index.js @@ -25409,17 +25409,7 @@ async function generateSummary() { summaryArgs.push("--job-name", currentJobName); const jobId = getInput("job-id"); if (jobId) { - let helpOutput = ""; - await exec("cargowall", ["summary", "--help"], { - ignoreReturnCode: true, - silent: true, - listeners: { stdout: (data) => { - helpOutput += data.toString(); - } } - }); - if (helpOutput.includes("job-run-id")) { - summaryArgs.push("--job-run-id", jobId); - } + summaryArgs.push("--job-run-id", jobId); } let effectiveMode = getInput("mode") || "enforce"; try { diff --git a/src/setup.ts b/src/setup.ts index 6912a67..b99aaaf 100644 --- a/src/setup.ts +++ b/src/setup.ts @@ -7,7 +7,7 @@ import * as path from 'path' const INSTALL_DIR = '/usr/local/bin' const BINARY_NAME = 'cargowall' -const CARGOWALL_VERSION = 'v1.0.1-rc.0' +const CARGOWALL_VERSION = 'v1.0.1' export async function setup(): Promise { const failOnUnsupported = core.getInput('fail-on-unsupported') === 'true' diff --git a/src/summary.ts b/src/summary.ts index c9ca8d1..e6fa3c2 100644 --- a/src/summary.ts +++ b/src/summary.ts @@ -130,14 +130,7 @@ export async function generateSummary(): Promise { summaryArgs.push('--job-name', currentJobName) const jobId = core.getInput('job-id') if (jobId) { - let helpOutput = '' - await exec.exec('cargowall', ['summary', '--help'], { - ignoreReturnCode: true, silent: true, - listeners: { stdout: (data: Buffer) => { helpOutput += data.toString() } } - }) - if (helpOutput.includes('job-run-id')) { - summaryArgs.push('--job-run-id', jobId) - } + summaryArgs.push('--job-run-id', jobId) } // Prefer the effective mode written by the Go binary (which may have