From dd0578b371c987f96d1185abb54344b44352bd58 Mon Sep 17 00:00:00 2001
From: Zvonimir Pavlinovic <zpavlinovic@google.com>
Date: Tue, 28 May 2024 14:56:32 +0000
Subject: [PATCH] all: provide options to specify action output

This includes the output format and the file to which the output should
be saved.

Change-Id: Iebbc4ecf38f669de441900c4d1ee3f2b83d1c6a9
Reviewed-on: https://go-review.googlesource.com/c/govulncheck-action/+/588735
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Commit-Queue: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Bypass: Zvonimir Pavlinovic <zpavlinovic@google.com>
---
 README.md  | 11 ++++++++++-
 action.yml | 17 +++++++++++++++--
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index df4a375..e0cb37a 100644
--- a/README.md
+++ b/README.md
@@ -65,11 +65,20 @@ work-dir: directory in which to run govulncheck, default '.'
 repo-checkout: checkout the repository, default true
 check-latest: check for the latest Go version, default false
 go-version-file: go.mod or go.work file specifying Go version, default ''
+output-format: the format of govulncheck output ('text', 'json', or 'sarif'), default 'text'
+output-file: the file to which the output is redirected, default '' (no
+redirection)
 ```
 The precedence for inputs `go-version-input`, `go-version-file`, and `check-latest`
 specifying Go version is inherited from [actions/setup-go](https://github.com/actions/setup-go).
 
-When a vulnerability is found, an error will be displayed for that
+The govulncheck-action follows the exit codes of govulncheck command.
+Specifying the output format 'json' or 'sarif' will return success even if
+there are some vulnerabilities detected. See
+[here](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes)
+for more information.
+
+When a vulnerability is found with 'text' output format, an error will be displayed for that
 [GitHub job](https://docs.github.com/en/actions/using-jobs/using-jobs-in-a-workflow)
 with information about the vulnerability and how to fix it. For example:
 
diff --git a/action.yml b/action.yml
index f827dc4..26be829 100644
--- a/action.yml
+++ b/action.yml
@@ -27,6 +27,14 @@ inputs:
   go-version-file:
     description: 'Path to the go.mod or go.work file.'
     required: false
+  output-format:
+    description: 'The format of the output'
+    required: false
+    default: 'text'
+  output-file:
+    description: 'The file to which the govulncheck output is saved'
+    required: false
+    default: ''
 runs:
   using: "composite"
   steps:
@@ -41,6 +49,11 @@ runs:
     - name: Install govulncheck
       run: go install golang.org/x/vuln/cmd/govulncheck@latest
       shell: bash
-    - name: Run govulncheck
-      run: govulncheck -C ${{ inputs.work-dir }} ${{ inputs.go-package }}
+    - if: inputs.output-file == ''
+      name: Run govulncheck
+      run: govulncheck -C ${{ inputs.work-dir }} -format ${{ inputs.output-format }} ${{ inputs.go-package }}
+      shell: bash
+    - if: inputs.output-file != ''
+      name: Run govulncheck and save to file
+      run: govulncheck -C ${{ inputs.work-dir }} -format ${{ inputs.output-format }} ${{ inputs.go-package }} > ${{ inputs.output-file }}
       shell: bash