Unable to produce openvex report

[R3DRUN3]

We are trying to leverge the feature introduced by this PR in order to produce the openvex report. However, it appears that targeting the main branch of the action (uses: project-copacetic/copa-action@main) does not yield the expected results, as the output openvex file is not produced. Conversely, when targeting one of the test branches of @sozercan , it functions properly (uses: sozercan/copa-action@out-vex).

This is the implicated section of our patch pipeline:

- name: Copa Action
  if: steps.vuln_count.outputs.vuln_count != '0'
  id: copa
  uses: sozercan/copa-action@out-vex.  # does not work with 'uses: project-copacetic/copa-action@main'
  with:
    image: ${{ matrix.images }}
    image-report: 'report.json'
    patched-tag: ${{ env.PATCHED_TAG }}
    output: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json

- name: Archive openvex vuln report
  uses: actions/upload-artifact@v4
  with:
    name: ${{ env.PATCHED_TAG_SBOM }}-openvex-report
    path: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json

[ashnamehrotra]

@R3DRUN3 Since the entrypoint.sh file was changed, it looks like we will need to update our copa-action images for v0.5.1 and v0.6.0. These action images are released from the main copacetic repo every time there is a new copacetic release. Since we merged this PR after those versions were released, they were not updated with the output argument feature. I am not sure why it works with sozercan/copa-action@out-vex. Besides the output file not produced, are you receiving a any error using the main branch?

[sozercan]

sozercan/copa-action@out-vex was my test repo 😀 it has a custom image in there: https://github.com/sozercan/copa-action/blob/out-vex/action.yaml#L53

like @ashnamehrotra mentioned, after copa cuts a new release this will be available.

[R3DRUN3]

Thank you! we'll wait for the new copa release.

[ashnamehrotra]

Closing this - need to wait for new copacetic/copa-action image release.