From bee45f1107ebf7cbb211c3e242085d0f4b5326d9 Mon Sep 17 00:00:00 2001
From: CTO Hermes <cto-hermes@users.noreply.github.com>
Date: Sat, 30 May 2026 19:52:03 +0700
Subject: [PATCH] fix(ci): address cora self-review findings

- Move Infisical identity-id to secret (INFISICAL_IDENTITY_ID)
- Remove 2>&1 redirect (was mixing stderr into SARIF JSON)
- Remove || true (was masking failures)
- Guard SARIF upload with hashFiles check
---
 .github/workflows/ci.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9dbd564..28aa1ba 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -82,7 +82,7 @@ jobs:
         uses: Infisical/secrets-action@v1.0.9
         with:
           method: "oidc"
-          identity-id: "6bd2b8d8-a9a3-4331-8b37-bf2764fc320b"
+          identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }}
           project-slug: "github-actions"
           env-slug: "prod"
           domain: "https://infisical.ajianaz.dev"
@@ -96,7 +96,7 @@ jobs:
             --format sarif \
             --severity major \
             --quiet \
-            > cora-results.sarif 2>&1 || true
+            > cora-results.sarif
 
           echo "### 🔍 Cora AI Code Review" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -109,7 +109,7 @@ jobs:
           fi
 
       - name: Upload SARIF to GitHub Code Scanning
-        if: always()
+        if: always() && hashFiles('cora-results.sarif') != ''
         uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: cora-results.sarif