fix: url encode owner, repo, and branch name (#7)

Reviewed-on: #7
Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>

.gitea/workflows/cd.yaml

@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+    paths:
+      - "tas-upload-sarif/**"
   workflow_dispatch:
 
 jobs:

README.md

@@ -7,24 +7,6 @@ Reusable GitHub Actions for [TAS (Tea Advanced Security)](https://github.com/go-
 ### [tas-upload-sarif](tas-upload-sarif/)
 
 Uploads a SARIF report from a file to TAS and **fails the job** if the API returns `allowed: false`.
+sarif-file: 'results.sarif'
 
-**Example workflow** (e.g. after a security scan that produces SARIF):
-
-```yaml
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      # Run your scanner and produce SARIF (e.g. to results.sarif)
-      # - run: ./run-scanner --output results.sarif
-
-      - name: Upload SARIF to TAS and gate
-        uses: your-org/tas-actions/tas-upload-sarif@v1
-        with:
-          tas-base-url: 'https://tas.example.com'
-          sarif-file: 'results.sarif'
-```
-
-See [tas-upload-sarif/README.md](tas-upload-sarif/README.md) for all inputs and options.
+See [tas-upload-sarif/README.md](tas-upload-sarif/README.md) for all inputs and options.

tas-upload-sarif/README.md

@@ -25,10 +25,10 @@ Reusable GitHub Action that uploads a SARIF report to [TAS (Tea Advanced Securit
 With explicit owner/repo/branch (e.g. for monorepos or custom refs):
 
 ```yaml
-- uses: [your-org/tas-actions/tas-upload-sarif@v1](https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1)
+- uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
   with:
     tas-base-url: ${{ vars.TAS_BASE_URL }}
-    sarif-file: 'scan-output.sarif'
+    sarif-file: "scan-output.sarif"
     owner: ${{ github.repository_owner}}
     repo: ${{ github.event.repository.name }}
     branch: ${{ github.head_ref }}

tas-upload-sarif/action.yml

@@ -1,23 +1,23 @@
-name: 'TAS Upload SARIF'
-description: 'Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false'
+name: "TAS Upload SARIF"
+description: "Upload a SARIF report to TAS (Tea Advanced Security) and fail the job if gating returns allowed: false"
 inputs:
   tas-base-url:
-    description: 'Base URL of the TAS API (e.g. https://tas.example.com)'
+    description: "Base URL of the TAS API (e.g. https://tas.example.com)"
     required: true
   sarif-file:
-    description: 'Path to the SARIF report file (JSON)'
+    description: "Path to the SARIF report file (JSON)"
     required: true
   owner:
-    description: 'Repository owner (default: GitHub repository owner)'
+    description: "Repository owner (default: GitHub repository owner)"
     required: false
   repo:
-    description: 'Repository name (default: GitHub repository name)'
+    description: "Repository name (default: GitHub repository name)"
     required: false
   branch:
-    description: 'Branch name (default: current ref name, e.g. main)'
+    description: "Branch name (default: current ref name, e.g. main)"
     required: false
 runs:
-  using: 'composite'
+  using: "composite"
   steps:
     - name: Upload SARIF to TAS and gate
       shell: bash
@@ -29,7 +29,10 @@ runs:
         SARIF_FILE: ${{ inputs.sarif-file }}
       run: |
         BASE_URL="${BASE_URL%/}"
-        URL="${BASE_URL}/repos/${OWNER}/${REPO}/branches/${BRANCH}/reports"
+        OWNER_ENC=$(jq -rn --arg x "$OWNER" '$x | @uri')
+        REPO_ENC=$(jq -rn --arg x "$REPO" '$x | @uri')
+        BRANCH_ENC=$(jq -rn --arg x "$BRANCH" '$x | @uri')
+        URL="${BASE_URL}/repos/${OWNER_ENC}/${REPO_ENC}/branches/${BRANCH_ENC}/reports"
         echo "Uploading SARIF to TAS: $URL"
 
         if [[ ! -f "$SARIF_FILE" ]]; then