From a02b9abe2344b59c2e27a54c9b7e875aeb5453d6 Mon Sep 17 00:00:00 2001
From: "david.dai" <david.dai@tron.network>
Date: Thu, 9 Apr 2026 22:24:39 +0800
Subject: [PATCH] feat(ci): fail workflow when critical vulnerabilities are
 found

The AI security audit now exits with failure if any CRITICAL severity
issues are detected, preventing PRs with critical vulnerabilities
from showing a green check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ai-security-audit.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/ai-security-audit.yml b/.github/workflows/ai-security-audit.yml
index e9073d28..d86a6225 100644
--- a/.github/workflows/ai-security-audit.yml
+++ b/.github/workflows/ai-security-audit.yml
@@ -145,6 +145,15 @@ jobs:
           # Post new comment
           gh pr comment "$PR_NUMBER" --body-file comment_body.md
 
+      - name: Fail if critical issues found
+        if: steps.check.outputs.skip != 'true'
+        run: |
+          if grep -qi '\[CRITICAL\]' audit_result.md; then
+            CRITICAL_COUNT=$(grep -ci '\[CRITICAL\]' audit_result.md)
+            echo "::error::AI security audit found ${CRITICAL_COUNT} CRITICAL issue(s). Please fix them before merging."
+            exit 1
+          fi
+
       - name: Post skip comment
         if: steps.check.outputs.skip == 'true'
         env: