From 2c6afc6c56e857c96e9c9f9df877bde28105e1af Mon Sep 17 00:00:00 2001 From: svczero Date: Thu, 11 Jun 2026 12:51:26 -0700 Subject: [PATCH] fix(ci): capture sfw diff stdout only, keep stderr out of the JSON sfw writes warnings to stderr (e.g. the 'runsc not found, falling back to direct execution' notice). The diff loop captured them with 2>&1, so the warning was prepended to the JSON and 'jq' rejected it as Invalid JSON once sfw diff actually started producing output. Redirect stderr to a log instead; print it only on failure. --- .github/workflows/semantic_analysis.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/semantic_analysis.yml b/.github/workflows/semantic_analysis.yml index 93fba42..ec5db4f 100644 --- a/.github/workflows/semantic_analysis.yml +++ b/.github/workflows/semantic_analysis.yml @@ -167,11 +167,14 @@ jobs: continue fi - # Execute SFW diff (sfw handles its own sandboxing internally) - if ! OUTPUT=$(./bin/sfw diff "$OLD_FILE" "$NEW_FILE" 2>&1); then + # Execute SFW diff (sfw handles its own sandboxing internally). + # Capture STDOUT (the JSON report) only -- sfw writes warnings/errors + # to stderr (e.g. the "runsc not found, falling back" notice), and + # merging them with 2>&1 corrupts the JSON parsed below. + if ! OUTPUT=$(./bin/sfw diff "$OLD_FILE" "$NEW_FILE" 2>sfw_stderr.log); then echo "::error::sfw failed to process $NEW_FILE_REF" # Surface the tool's actual error instead of swallowing it. - printf '%s\n' "$OUTPUT" | sed 's/^/ [sfw] /' + sed 's/^/ [sfw] /' sfw_stderr.log ERROR_COUNT=$((ERROR_COUNT + 1)) continue fi @@ -179,7 +182,8 @@ jobs: # Validate JSON if ! echo "$OUTPUT" | jq -e . >/dev/null 2>&1; then echo "::error::Invalid JSON output for $NEW_FILE_REF" - printf '%s\n' "$OUTPUT" | sed 's/^/ [sfw] /' + printf '%s\n' "$OUTPUT" | sed 's/^/ [out] /' + sed 's/^/ [sfw] /' sfw_stderr.log ERROR_COUNT=$((ERROR_COUNT + 1)) continue fi