# TAS Upload SARIF

Reusable GitHub Action that uploads a SARIF report to [TAS (Tea Advanced Security)](https://github.com/go-gitea/gitea) and **fails the job** if the API responds with `allowed: false` (e.g. new findings above your policy).

## Inputs

| Input          | Required | Description                                               |
| -------------- | -------- | --------------------------------------------------------- |
| `tas-base-url` | Yes      | Base URL of the TAS API (e.g. `https://tas.example.com`)  |
| `sarif-file`   | Yes      | Path to the SARIF report file (JSON)                      |
| `owner`        | No       | Repository owner (default: `github.repository_owner`)     |
| `repo`         | No       | Repository name (default: `github.event.repository.name`) |
| `branch`       | No       | Branch name (default: `github.ref_name`)                  |

## Usage

```yaml
- name: Upload SARIF to TAS and gate
  uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
  with:
    tas-base-url: "https://tas.example.com"
    sarif-file: "results.sarif"
```

With explicit owner/repo/branch (e.g. for monorepos or custom refs):

```yaml
- uses: https://gitea.t000-n.de/t.behrendt/tas-actions/tas-upload-sarif@v1
  with:
    tas-base-url: ${{ vars.TAS_BASE_URL }}
    sarif-file: "scan-output.sarif"
    owner: ${{ github.repository_owner}}
    repo: ${{ github.event.repository.name }}
    branch: ${{ github.head_ref }}
```

## Behavior

1. **POST**s the SARIF file to `{tas-base-url}/repos/{owner}/{repo}/branches/{branch}/reports`.
2. On HTTP non-200, the step fails and prints the response body.
3. On success, reads the JSON response:
   - If `allowed` is `true`, the step succeeds.
   - If `allowed` is `false`, the step **fails** and prints `reason` and the full response (e.g. `new_critical`, `new_high`, `new_findings`).

## Requirements

- **GitHub-hosted runners**: `curl` and `jq` are available by default.
- **Self-hosted runners**: ensure `curl` and `jq` are installed.