Show error in Actions summary for safety issues in normal/scheduled runs

andy-maier · andy-maier · commit ad48e4c0a2dc · 2026-04-12T17:41:27.000+02:00
Details:

* Safety issues that are detected in normal and scheduled Actions runs
  now cause an error to be shown in the Actions summary. They still
  (intentionally) do not cause the Actions run to fail. Note that safety issues
  detected during an Actions release run, or during local use, do cause the
  make command and Actions run to fail.

* In addition, the safety command is now always run for both development
  and install before checking for failure.

Signed-off-by: Andreas Maier &lt;maiera@de.ibm.com&gt;
diff --git a/Makefile b/Makefile
@@ -443,8 +443,21 @@ pylint: $(done_dir)/pylint_$(pymn)_$(PACKAGE_LEVEL).done
 
 .PHONY: safety
 safety: Makefile $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done $(safety_develop_policy_file) $(safety_install_policy_file) minimum-constraints-develop.txt minimum-constraints-install.txt
-	safety check --policy-file $(safety_develop_policy_file) -r minimum-constraints-develop.txt --full-report || test '$(RUN_TYPE)' == 'normal' || test '$(RUN_TYPE)' == 'scheduled' || exit 1
-	safety check --policy-file $(safety_install_policy_file) -r minimum-constraints-install.txt --full-report || test '$(RUN_TYPE)' == 'normal' || exit 1
+	safety check --policy-file $(safety_develop_policy_file) -r minimum-constraints-develop.txt --full-report; \
+	  rc_dev=$$?; \
+	  safety check --policy-file $(safety_install_policy_file) -r minimum-constraints-install.txt --full-report; \
+	  rc_ins=$$?; \
+	  where=""; \
+	  if [[ $${rc_dev} -ne 0 ]]; then where="development"; fi; \
+	  if [[ $${rc_ins} -ne 0 ]]; then where="$${where:+$$where,}install"; fi; \
+	  if [[ -n $${where} ]]; then \
+	    if [[ "$(RUN_TYPE)" == "release" -o "$(RUN_TYPE)" == "local" ]]; then \
+	      echo "Safety issues found in $${where}"; \
+	      exit 1; \
+	    else \
+	      echo "::error::Safety issues found in $${where} - They need to be fixed before the next release"; \
+	    fi; \
+	  fi
 	@echo "Makefile: $@ done."
 
 .PHONY: bandit
diff --git a/changes/noissue.33.feature.rst b/changes/noissue.33.feature.rst
@@ -0,0 +1,6 @@
+Dev: Safety issues that are detected in normal and scheduled Actions runs
+now cause an error to be shown in the Actions summary. They still
+(intentionally) do not cause the Actions run to fail. Note that safety issues
+detected during an Actions release run, or during local use, do cause the
+make command and Actions run to fail. In addition, the safety command is now
+always run for both development and install before checking for failure.
