fix(surfaces): skip Code Scanning upload + PR comment for remote targets#2
Merged
Conversation
When `target` is a remote URL the scan covers a different repo than the checkout, so SARIF (file paths + commit) and the PR comment are scoped to the wrong repository — uploading would misattribute Code Scanning alerts. Guard both behind isRemoteTarget(). Also drop the unused context.isFork field and shorten the console footer note so it no longer overruns the ASCII box.
Trustabl scan
Readiness now 🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩 Findings by severity
✅ Passed scanning |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
From the post-merge review.
Remote-target misattribution (main correctness fix)
With a remote URL
target:, the scan describes a different repo than the workflow's checkout, butuploadSarifposts to this repo's Code Scanning at this commit/ref — so the SARIF file paths don't resolve and you get orphan/misattributed alerts. Same logic applies to the sticky PR comment (it'd describe another repo). Both are now guarded behind a newisRemoteTarget(target)helper; local-path scans (the common case) are unchanged. The downloadable artifact still uploads.Cleanups
context.isForkfield (fork degradation is handled reactively by the 403 catch in sarif/comment).Tests
isRemoteTargetunit tests added (56 tests pass).npm run allgreen;dist/rebuilt and committed.