Fix audit verifier action (and add variable initializations to other actions)

.github/workflows/ensureSCCoreDevApproval.yml

@@ -17,6 +17,7 @@ jobs:
         env:
           GH_PAT: ${{ secrets.GIT_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CONTINUE: false # makes sure that variable is correctly initialized in all cases
         run: |
 
           ##### unset the default git token (does not have sufficient rights to get team members)

.github/workflows/protectAuditLabels.yml

@@ -15,6 +15,8 @@ on:
 jobs:
   protect_audit_labels:
     runs-on: ubuntu-latest
+    env:
+      CONTINUE: false # makes sure that variable is correctly initialized in all cases
 
     steps:
       - name: Checkout repository

.github/workflows/protectSecurityRelevantCode.yml

@@ -13,6 +13,8 @@ jobs:
   protect-critical-code:
     if: ${{ github.event.pull_request.draft == false }}
     runs-on: ubuntu-latest
+    env:
+      CONTINUE: false # makes sure that variable is correctly initialized in all cases
     permissions:
       pull-requests: write
     steps:

.github/workflows/verifyAudit.yml

@@ -25,6 +25,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }}
       AUDIT_LOG_PATH: 'audit/auditLog.json'
       PR_NUMBER: ${{ github.event.pull_request.number }}
+      CONTINUE: false # makes sure that variable is correctly initialized in all cases
 
     permissions:
       pull-requests: write
@@ -45,7 +46,8 @@ jobs:
           ##### Make sure that there are modified files
           if [[ -z $FILES ]]; then
             echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m"
-            echo "CONTINUE=false" >> "$GITHUB_ENV"
+            echo "CONTINUE=false" >> "$GITHUB_ENV" # explicit assignment, even though already initialized with false
+            exit 1
           fi
 
           ##### Initialize empty variables
@@ -67,18 +69,19 @@ jobs:
             echo -e "\033[31mProtected contracts found in this PR.\033[0m"
             echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS"
             echo "AUDIT_REQUIRED=true" >> "$GITHUB_ENV"
-            echo "$AUDIT_REQUIRED" > audit_required.txt
             echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt
           fi
 
       - name: Assign, update, and verify labels based on check outcome
         uses: actions/github-script@v7
         env:
           AUDIT_REQUIRED: ${{ env.AUDIT_REQUIRED }}
+          CONTINUE: ${{ env.CONTINUE }}
         with:
           script: |
             const { execSync } = require('child_process');
 
+            console.log(`CONTINUE=${core.read}`)
             // ANSI escape codes for colors (used for colored output in Git action console)
             const colors = {
               reset: "\033[0m",
@@ -126,6 +129,12 @@ jobs:
               console.log(`${colors.green}Opposite label "${oppositeLabel}" is not assigned. No action needed.${colors.reset}`);
             }
 
+            // Remove the AuditCompleted label if it is present
+            if (assignedLabels.includes('AuditCompleted')) {
+              console.log(`Now removing AuditCompleted label`);
+              execSync(`gh pr edit ${{ github.event.pull_request.number }} --remove-label "AuditCompleted"`, { stdio: 'inherit' });
+            }
+
             // fetch all currently assigned labels again
             assignedLabels = []
             try {
@@ -156,12 +165,18 @@ jobs:
             else
               console.log(`Label 'AuditCompleted' is currently not assigned`);
 
+            // set CONTINUE to true to make sure the following steps are executed
+            core.exportVariable('CONTINUE', 'true');
+
       - name: Check Audit Log
         continue-on-error: true
         id: check-audit-log
-        if: env.AUDIT_REQUIRED == 'true'
+        if: always() && env.CONTINUE == 'true' # always() ensures that validation is always executed, even if env variable is not set
         run: |
 
+          echo "CONTINUE=$CONTINUE"
+
+
           echo "This step will make sure that an audit is logged for each contract modified/added by this PR."
           echo "It will also make sure that no information is missing in the audit log and that the information is meaningful."
 
@@ -381,7 +396,7 @@ jobs:
           echo "Assigning label 'AuditCompleted' next"
 
       - name: Assign label "AuditCompleted" if all checks passed
-        if: ${{ env.AUDIT_REQUIRED == 'true' && env.CONTINUE == 'true' }}
+        if: ${{ always() && env.AUDIT_REQUIRED == 'true' && env.CONTINUE == 'true' }}
         uses: actions-ecosystem/action-add-labels@v1
         id: assign_label
         with:
@@ -392,14 +407,14 @@ jobs:
       - name: Remove label "AuditCompleted" in case check was not successful but label was assigned in earlier checks
         continue-on-error: true # This ensures the step will execute even if the job has a failed status.
         uses: actions-ecosystem/action-remove-labels@v1
-        if: ${{ env.AUDIT_COMPLETED_ASSIGNED && (env.CONTINUE == 'false' || (env.CONTINUE == 'true' && env.AUDIT_REQUIRED == 'false'))}}
+        if: ${{ always() && env.AUDIT_COMPLETED_ASSIGNED && (env.CONTINUE == 'false' || (env.CONTINUE == 'true' && env.AUDIT_REQUIRED == 'false'))}}
         with:
           github_token: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} # we use the token of the lifi-action-bot so the label protection check will pass
           labels: 'AuditCompleted'
           number: ${{ env.PR_NUMBER }}
 
       - name: Fail the git action if any critical step failed
-        if: env.CONTINUE == 'false' # This step runs only if a failure was recorded
+        if: always() && env.CONTINUE == 'false' # This step runs only if a failure was recorded
         run: |
 
           echo -e "\033[31mError: One or more critical steps failed. Failing the job.\033[0m"