Merge pull request #365 from xenoscopic/workflow-fixups

ci: fix assorted issues with new update and review workflows

Author: xenoscopic

.github/workflows/security-review-changes.yaml

@@ -421,7 +421,7 @@ jobs:
                 --field output[summary]="Security review failed to complete" \
                 --field output[text]="The security review process encountered an error. Check workflow logs for details."
 
-              echo "Failed $review_type review for $server" >&2
+              echo "::error::Failed $review_type review for $server"
             fi
           }
 

.github/workflows/security-review-manual.yaml

@@ -116,7 +116,7 @@ jobs:
             fi
 
             if ! "${cmd[@]}"; then
-              echo "Security review failed for $server" >&2
+              echo "::error::Security review failed for $server"
             fi
           done < <(jq -c '.[]' "${{ steps.collect.outputs.targets }}")
 

.github/workflows/update-pins.yaml

@@ -111,6 +111,7 @@ jobs:
             exit 1
           fi
           new_pr_count=0
+          failed_servers=()
 
           for server in "${SERVERS[@]}"; do
             patch="patches/${server}.patch"
@@ -151,7 +152,7 @@ jobs:
             # Apply the patch onto a fresh branch for this server.
             git checkout -B "$branch" origin/main
             if ! git apply "$patch"; then
-              echo "Failed to apply patch for $server, skipping."
+              echo "::error::Failed to apply patch for $server, skipping."
               continue
             fi
 
@@ -164,7 +165,7 @@ jobs:
             git add "servers/${server}/server.yaml"
             git commit -m "chore: update pin for ${server}"
             if ! git push --force origin "$branch"; then
-              echo "Failed to push branch for $server, skipping." >&2
+              echo "::error::Failed to push branch for $server, skipping."
               continue
             fi
 
@@ -173,7 +174,8 @@ jobs:
               if ! gh pr edit "$branch" \
                 --title "chore: update pin for ${server}" \
                 --body "Automated commit pin update for ${server}." 2>&1; then
-                echo "Failed to update PR for $server" >&2
+                echo "::error::Failed to update PR for $server"
+                failed_servers+=("$server (update)")
               fi
             else
               if gh pr create \
@@ -183,10 +185,20 @@ jobs:
                 --head "$branch" 2>&1; then
                 new_pr_count=$((new_pr_count + 1))
               else
-                echo "Failed to create PR for $server" >&2
+                echo "::error::Failed to create PR for $server"
+                failed_servers+=("$server (create)")
               fi
             fi
           done
 
           # Leave the repository in a clean state.
           git checkout main
+
+          # Report summary and exit with error if any PRs failed.
+          if [ ${#failed_servers[@]} -gt 0 ]; then
+            echo "::error::Failed to create or update PRs for ${#failed_servers[@]} server(s):"
+            for server in "${failed_servers[@]}"; do
+              echo "  - $server"
+            done
+            exit 1
+          fi

cmd/security-reviewer/main.go

@@ -205,7 +205,9 @@ func run(ctx context.Context, opts options) error {
 	}
 
 	outputDir := filepath.Join(workdir, "output")
-	if err = os.MkdirAll(outputDir, 0o755); err != nil {
+	// Use 0o777 to allow the container to write when running with a different
+	// UID (e.g., in CI environments like GitHub Actions).
+	if err = os.MkdirAll(outputDir, 0o777); err != nil {
 		return fmt.Errorf("create output directory: %w", err)
 	}