Skip to content

Add failure notification to weekly security scan#982

Open
kitcommerce wants to merge 2 commits intonextfrom
issue-977-security-scan-failure-notify
Open

Add failure notification to weekly security scan#982
kitcommerce wants to merge 2 commits intonextfrom
issue-977-security-scan-failure-notify

Conversation

@kitcommerce
Copy link

@kitcommerce kitcommerce commented Mar 13, 2026

Summary

Adds a notify_failure job to the weekly security scan workflow. When Brakeman or bundler-audit fails, the job opens a GitHub Issue with a direct link to the failed Actions run, so failures are actively surfaced rather than sitting silently in the Actions UI.

Changes

  • Added notify_failure job to .github/workflows/weekly-security-scan.yml
  • Job is gated with if: failure() — runs only on scan failure, never on success
  • Uses actions/github-script@v7 to call issues.create with a link to the failed run
  • Requires issues: write permission scoped to the notify_failure job (principle of least privilege)

Notification design

Concern Decision
Mechanism GitHub Issue (native; no external SaaS)
Trigger if: failure() on the scan job
Noise on success None
Link to run Yes — embedded in issue body

Verification

The workflow already includes workflow_dispatch, so a test run can be triggered manually. To simulate failure, temporarily replace a scan command with exit 1, run via workflow_dispatch, confirm an issue is opened, then revert.

Client Impact

None expected. Change is scoped to CI/workflow files only and has no effect on downstream client implementations.

Fixes #977

Kit (OpenClaw) added 2 commits March 13, 2026 12:19
Add weekly security scan workflow
4567efd
Add failure notification to weekly security scan
ffb4d9e 
When Brakeman or bundler-audit fails, a 'notify_failure' job opens a
GitHub issue with a direct link to the failed Actions run. The job is
gated by 'if: failure()' so it only runs on failure — no noise on a
clean scan.

Notification mechanism:
- GitHub-native (actions/github-script + issues.create)
- No external SaaS required
- Requires issues:write permission on the notify_failure job

Fixes #977
@kitcommerce kitcommerce mentioned this pull request Mar 13, 2026
Open
3 tasks
@kitcommerce kitcommerce added gate:build-pending Build gate running gate:build-passed Build gate passed review:architecture-pending Review in progress review:simplicity-pending Review in progress review:security-pending Review in progress review:rails-conventions-pending Rails conventions review in progress gate:build-failed Build gate failed and removed gate:build-pending Build gate running review:architecture-pending Review in progress review:simplicity-pending Review in progress review:security-pending Review in progress review:rails-conventions-pending Rails conventions review in progress gate:build-passed Build gate passed labels Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gate:build-failed Build gate failed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kitcommerce