action.yml

name: "Run Bundler Audit"
description: "Runs bundle-audit check --update and outputs results."

inputs:
  ignore_list:
    description: "Space-separated list of CVEs to ignore (e.g., CVE-2023-26141 CVE-2021-41182 CVE-2021-41183)"
    required: false
    default: ""

outputs:
  has_vulnerabilities:
    description: "True if vulnerabilities are found, false otherwise"
    value: ${{ steps.check_vulnerabilities.outputs.has_vulnerabilities }}
  audit_output:
    description: "The full output from bundle-audit"
    value: ${{ steps.check_vulnerabilities.outputs.audit_output }}

runs:
  using: "composite"
  steps:
    - name: Check out code
      uses: actions/checkout@v4

    - name: Set up Ruby
      uses: ruby/setup-ruby@v1

    - name: Install Bundler Audit
      run: gem install bundler-audit
      shell: bash

    - name: Run Bundler Audit
      id: audit
      run: |
        ignore_flag=""
        if [ -n "${{ inputs.ignore_list }}" ]; then
          ignore_flag="--ignore ${{ inputs.ignore_list }}"
        fi

        bundle-audit check --update $ignore_flag > audit_output.txt || true
      shell: bash

    - name: Check for Vulnerabilities
      id: check_vulnerabilities
      run: |
        if grep -q "Vulnerabilities found!" audit_output.txt; then
          echo "has_vulnerabilities=true" >> $GITHUB_OUTPUT
        else
          echo "has_vulnerabilities=false" >> $GITHUB_OUTPUT
        fi

        audit_output=$(jq -Rs . < audit_output.txt)
        echo "audit_output=$audit_output" >> $GITHUB_OUTPUT
      shell: bash