23

I am trying to find a portable way to produce code annotations for GitHub in a way that would avoid a vendor-lockin.

Mainly I want to dump annotations inside a file (yaml, json,...) during build process and have a task at the end that does transform this file into github annotations.

The main goal here is to avoid hardcoding support for github-annotation into the tools that produce them, so other CI/CD systems could also consume the annotation-reports and display them in their UI.

linters -> annotations.report -> github-upload

Tools like flake8 are able to produce output in parsable format file:line:column: message, but I need to know if there is any attempt to standardize annotations so we can collect and combine them from multiple tools and feed them to the CI/CD engine.

sorin
  • 161,544
  • 178
  • 535
  • 806

2 Answers2

1

I am currently using https://github.com/yuzutech/annotations-action Sample action code:

      - name: Annotate
        uses: yuzutech/annotations-action@v0.3.0
        with:
          repo-token: ${{secrets.GITHUB_TOKEN}}
          input: ./annotations.json
          title: 'Findings'
          ignore-missing-file: true

It does its job well but with one minor defect. If you have a findings on a commit/PR you get to see the finding with a beautiful annotation right where you need it. If you re-push changes, even if the finding persists, the annotation is not displayed on later commits. I have opened an issue but I have not yet received an answer.

The annotations-action mentioned above has not been updated and it does not work with me at all (deprecated calls).

I haven't found anything else that worked exactly as I wanted it to.

Update: I found that you can use reviewdog to annotate based on findings. I also created a GitHub action that can be used for Static Code Analysis here https://github.com/tsigouris007/action-semgrep-reviewdog. You can visit the entrypoint.sh file and check how I piped the custom output to reviewdog utilizing jq.

George Ts.
  • 91
  • 1
  • 4
0

Today I googled up what the heck those "Github Action Annotations" are all, and this was among the hits:

https://github.com/marketplace/actions/annotations-action

GitHub action for creating annotations from JSON file

As of now that page also contains:

This repository uses npm packages from @attest scope on github; we are working hard to open source these packages.

Annotations Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

I didn't try it, again, just a random google hit.

pfalcon
  • 6,724
  • 4
  • 35
  • 43