[BUG] Empty --iac-type argument in Security workflow when called without inputs #99
Description
Bug Description
When security-comprehensive.yml is called from main.yml without explicit inputs, the ${{ inputs.iac-types }} expression evaluates to an empty string instead of the default value 'all'. This causes aio-version-checker.py to fail with "argument -t/--iac-type: expected one argument".
Reproduction Steps
- Push to main branch (triggers main.yml)
- main.yml calls security-comprehensive.yml at line 144 without
with:inputs:uses: ./.github/workflows/security-comprehensive.yml secrets: inherit # No 'with:' block - inputs not passed
- Security workflow fails with argument error
Expected Behavior
The workflow should use the default value 'all' when no input is provided.
Actual Behavior
Error: argument -t/--iac-type: expected one argument
The default: 'all' in the input definition is not applied when the workflow is called without a with: block.
Environment
- Workflow:
.github/workflows/security-comprehensive.yml - Caller:
.github/workflows/main.ymlline 144 - Affected runs: 37+ daily failures
Root Cause Analysis
GitHub Actions workflow inputs with defaults only apply when the input is explicitly referenced in a with: block. When called without with:, the input is undefined (empty string), not the default value.
Current code:
python scripts/aio-version-checker.py \
--iac-type ${{ inputs.iac-types }} \Proposed Solution
Add fallback operator to the workflow step:
python scripts/aio-version-checker.py \
--iac-type ${{ inputs.iac-types || 'all' }} \This ensures the value is 'all' whether the input is missing, empty, or undefined.
Additional Context
Research document: .copilot-tracking/research/20260114-github-pr-linting-failures-research.md