fix(snyk): Update action and split report upload

[piotrzajac]

Summary

Summary by CodeRabbit

• Documentation

  • Added a backlog task describing required Snyk CI workflow fixes and acceptance criteria.

• Chores

  • Updated the CI security scan workflow to use the current Snyk setup and explicit scan commands.
  • Split security scan result uploads into separate, clearly categorized submissions for opensource and code scans; preserved conditional upload behavior to ensure reliability.

Checklist

• Commit messages follow Conventional Commits (type(scope): description)
• dotnet build src/Objectivity.AutoFixture.XUnit2.AutoMock.sln passes with no warnings
• dotnet test src/Objectivity.AutoFixture.XUnit2.AutoMock.sln passes on all framework slices
• Code coverage remains at least at the level prior the change (verified by Codecov)
• Mutation score remains at least at the level prior the change (verified by Stryker)
• New tests follow the GIVEN/WHEN/THEN naming convention and AAA structure (see AGENTS.md)
• No new [SuppressMessage] without a justification comment
• No // TODO: comments added — open a GitHub issue instead
• No new dependencies introduced that are incompatible with the MIT license (verified by FOSSA)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bdb3c69a-ef08-4f0f-bf8e-f3ac6a3db644

📥 Commits

Reviewing files that changed from the base of the PR and between 6e498ed and 26b8f0d.

📒 Files selected for processing (1)

• .github/workflows/snyk.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/snyk.yml

---

📝 Walkthrough

Walkthrough

Replaces deprecated Snyk action steps in the CI workflow with explicit Snyk CLI setup and run commands, and splits SARIF uploads into two distinct upload steps (opensource and code) with their respective categories and file-existence conditionals. A backlog task document is added.

Changes

Cohort / File(s)	Summary
Backlog task \.backlog/tasks/task-11 - Fix-snyk-workflow.md	Adds a task describing required Snyk workflow fixes and acceptance criteria.
Snyk CI workflow .github/workflows/snyk.yml	Replaces deprecated snyk/actions/dotnet@master steps with snyk/actions/setup@v1.0.0 and explicit run: snyk ... commands; adds separate SARIF upload steps for snyk/opensource.sarif (category: snyk-opensource) and snyk/code.sarif (category: snyk-code) with if: always() && hashFiles(...) != '' conditionals where applicable.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions Runner
    participant Setup as Snyk Setup Action
    participant SnykCLI as Snyk CLI
    participant SARIF as SARIF Upload Action
    GH->>Setup: uses `snyk/actions/setup@v1.0.0`
    GH->>SnykCLI: run `snyk test --sarif-output=snyk/opensource.sarif ...`
    GH->>SnykCLI: run `snyk code test --sarif-output=snyk/code.sarif ...`
    GH->>SnykCLI: run `snyk monitor ...`
    GH->>SARIF: upload `snyk/opensource.sarif` (category: snyk-opensource)
    GH->>SARIF: upload `snyk/code.sarif` (category: snyk-code)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Prevent run shell injection on actions #247 — Modifies the same .github/workflows/snyk.yml file (shell/error handling and restore steps), likely touching overlapping workflow logic.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description includes the required checklist with all items marked complete, but the summary section is empty and lacks issue closure link and description of changes.	Add a brief description of the issue being fixed, link the relevant GitHub issue with 'Closes #', and complete the summary section with details about the Snyk workflow updates.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: updating the Snyk action and splitting the SARIF report uploads into separate steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/snyk-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/snyk.yml:
- Line 49: Replace the mutable action ref "snyk/actions/setup@master" with an
immutable tag or commit SHA to reduce supply-chain risk; update the workflow
entry that references the Snyk setup action (the uses line for
snyk/actions/setup) to a versioned tag like "snyk/actions/setup@v1.0.0" or a
specific commit SHA (e.g.,
"snyk/actions/setup@dc22abdbe8ec00e2a925256fef96f319ca5510ce") and commit the
change in the workflow file.
- Around line 64-75: Add a guarding check step before each SARIF upload to skip
the upload when the file is missing: create steps with ids
check-opensource-sarif and check-code-sarif that run a shell test (e.g., run:
test -f snyk/opensource.sarif && echo "::set-output name=exists::true" || echo
"::set-output name=exists::false") and then change the upload steps (the ones
using github/codeql-action/upload-sarif@v4 that refer to sarif_file:
snyk/opensource.sarif and snyk/code.sarif) to use if: ${{ always() &&
steps.check-opensource-sarif.outputs.exists == 'true' }} and if: ${{ always() &&
steps.check-code-sarif.outputs.exists == 'true' }} respectively so the upload
only runs when the SARIF file actually exists.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1647e68b-5ef6-4889-a0c6-2d2359d7873b

📥 Commits

Reviewing files that changed from the base of the PR and between 29b2c20 and 6e498ed.

📒 Files selected for processing (2)

• .backlog/tasks/task-11 - Fix-snyk-workflow.md
• .github/workflows/snyk.yml