From 8b2c11d8c58d2a7281ca1891a35010583d6430ef Mon Sep 17 00:00:00 2001
From: Agustin Groh <agusgroh@gmail.com>
Date: Mon, 30 Mar 2026 08:07:17 -0300
Subject: [PATCH 1/3] fix(policy):SP-4207 cancel pending policy check runs on
 workflow failure

---
 dist/index.js                | 22 +++++++++++++++++++---
 src/main.ts                  | 14 +++++++++++---
 src/policies/policy-check.ts | 10 ++++++++++
 3 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/dist/index.js b/dist/index.js
index b005f0d..55667de 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -24510,10 +24510,10 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``);
       (0, command_1.issueCommand)("error", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message);
     }
     exports2.error = error9;
-    function warning14(message, properties = {}) {
+    function warning15(message, properties = {}) {
       (0, command_1.issueCommand)("warning", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message);
     }
-    exports2.warning = warning14;
+    exports2.warning = warning15;
     function notice2(message, properties = {}) {
       (0, command_1.issueCommand)("notice", (0, utils_1.toCommandProperties)(properties), message instanceof Error ? message.toString() : message);
     }
@@ -134084,6 +134084,15 @@ var PolicyCheck = class {
     core3.debug(`Running policy check: ${this.checkName}`);
     this._status = "RUNNING" /* RUNNING */;
   }
+  /**
+   * Cancels the policy check when the workflow fails before policy execution.
+   * Only acts on check runs that were started but not yet finished.
+   */
+  async cancel(summary3) {
+    if (this._status === "FINISHED" /* FINISHED */ || this._status === "UNINITIALIZED" /* UNINITIALIZED */) return;
+    this._conclusion = "cancelled" /* Cancelled */;
+    await this.finish(summary3);
+  }
   /**
    * Marks the policy check as successful.
    */
@@ -136503,13 +136512,13 @@ async function createSnippetAnnotations(resultsPath) {
 
 // src/main.ts
 async function run() {
+  const policies = policyManager.getPolicies();
   try {
     if (API_KEY) core21.setSecret(API_KEY);
     if (GITHUB_TOKEN) core21.setSecret(GITHUB_TOKEN);
     core21.debug(`SCANOSS Scan Action started...`);
     core21.debug(`Creating policies`);
     const firstRunId = await getFirstRunId();
-    const policies = policyManager.getPolicies();
     for (const policy of policies) {
       await policy.start(firstRunId);
     }
@@ -136541,6 +136550,13 @@ async function run() {
     core21.setOutput(RESULT_FILEPATH, OUTPUT_FILEPATH);
     core21.setOutput(STDOUT_SCAN_COMMAND, stdout);
   } catch (error9) {
+    for (const policy of policies) {
+      try {
+        await policy.cancel(error9 instanceof Error ? error9.message : "Workflow failed");
+      } catch (e) {
+        core21.warning(`Failed to cancel policy check "${policy.name}": ${e instanceof Error ? e.message : e}`);
+      }
+    }
     if (error9 instanceof Error) core21.setFailed(error9.message);
   }
 }
diff --git a/src/main.ts b/src/main.ts
index a70604a..9ebadc2 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -28,6 +28,7 @@ import * as inputs from './app.input';
 import * as outputs from './app.output';
 import { scanService, uploadResults } from './services/scan.service';
 import { policyManager } from './policies/policy.manager';
+import { PolicyCheck } from './policies/policy-check';
 import { DepTrackPolicyCheck } from './policies/dep-track-policy-check';
 import { dependencyTrackService } from './services/dependency-track.service';
 import { dependencyTrackStatusService } from './services/dependency-track-status.service';
@@ -39,6 +40,7 @@ import { createSnippetAnnotations } from './utils/snippet-annotations.utils';
  * @returns {Promise<void>} Resolves when the action is complete.
  */
 export async function run(): Promise<void> {
+  let policies: PolicyCheck[] = [];
   try {
     // Mask sensitive inputs to prevent accidental leakage in logs
     if (inputs.API_KEY) core.setSecret(inputs.API_KEY);
@@ -49,9 +51,7 @@ export async function run(): Promise<void> {
     // create policies
     core.debug(`Creating policies`);
     const firstRunId = await getFirstRunId();
-
-    //Read declared policies on input parameter 'policies' and create an instance for each one.
-    const policies = policyManager.getPolicies();
+    policies = policyManager.getPolicies();
     for (const policy of policies) {
       await policy.start(firstRunId);
     }
@@ -99,6 +99,14 @@ export async function run(): Promise<void> {
     core.setOutput(outputs.RESULT_FILEPATH, inputs.OUTPUT_FILEPATH);
     core.setOutput(outputs.STDOUT_SCAN_COMMAND, stdout);
   } catch (error) {
+    // Cancel any pending policy check runs so they don't remain in "queued" status
+    for (const policy of policies) {
+      try {
+        await policy.cancel(error instanceof Error ? error.message : 'Workflow failed');
+      } catch (e) {
+        core.warning(`Failed to cancel policy check "${policy.name}": ${e instanceof Error ? e.message : e}`);
+      }
+    }
     // fail the workflow run if an error occurs
     if (error instanceof Error) core.setFailed(error.message);
   }
diff --git a/src/policies/policy-check.ts b/src/policies/policy-check.ts
index 0d0dffc..536ce8c 100644
--- a/src/policies/policy-check.ts
+++ b/src/policies/policy-check.ts
@@ -161,6 +161,16 @@ export abstract class PolicyCheck {
     this._status = STATUS.RUNNING;
   }
 
+  /**
+   * Cancels the policy check when the workflow fails before policy execution.
+   * Only acts on check runs that were started but not yet finished.
+   */
+  async cancel(summary: string): Promise<void> {
+    if (this._status === STATUS.FINISHED || this._status === STATUS.UNINITIALIZED) return;
+    this._conclusion = CONCLUSION.Cancelled;
+    await this.finish(summary);
+  }
+
   /**
    * Marks the policy check as successful.
    */

From 5d62c4c24f0c621154292256050ff6889123467d Mon Sep 17 00:00:00 2001
From: Agustin Groh <agusgroh@gmail.com>
Date: Mon, 30 Mar 2026 08:25:17 -0300
Subject: [PATCH 2/3] chore(version): upgrade version to v1.6.1

---
 CHANGELOG.md  | 5 +++++
 dist/index.js | 5 +++--
 package.json  | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e78b5c5..c698c31 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.6.1] - 2026-03-30
+### Fixed
+- Fixed policy check runs remaining in "queued" status when the workflow fails before policy execution
+
 ## [1.6.0] - 2026-03-05
 ### Changed
 - Replaced `vercel/ncc` by `esbuild` to support ESM modules
@@ -190,3 +194,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.4.0]: https://github.com/scanoss/gha-code-scan/compare/v1.3.1...v1.4.0
 [1.5.0]: https://github.com/scanoss/gha-code-scan/compare/v1.4.0...v1.5.0
 [1.6.0]: https://github.com/scanoss/gha-code-scan/compare/v1.5.0...v1.6.0
+[1.6.1]: https://github.com/scanoss/gha-code-scan/compare/v1.6.0...v1.6.1
diff --git a/dist/index.js b/dist/index.js
index 55667de..76dae43 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -1,4 +1,4 @@
-/*! scanoss-code-scan-action v1.6.0 | MIT */
+/*! scanoss-code-scan-action v1.6.1 | MIT */
 "use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -136512,13 +136512,14 @@ async function createSnippetAnnotations(resultsPath) {
 
 // src/main.ts
 async function run() {
-  const policies = policyManager.getPolicies();
+  let policies = [];
   try {
     if (API_KEY) core21.setSecret(API_KEY);
     if (GITHUB_TOKEN) core21.setSecret(GITHUB_TOKEN);
     core21.debug(`SCANOSS Scan Action started...`);
     core21.debug(`Creating policies`);
     const firstRunId = await getFirstRunId();
+    policies = policyManager.getPolicies();
     for (const policy of policies) {
       await policy.start(firstRunId);
     }
diff --git a/package.json b/package.json
index 9a4d688..c95647b 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "scanoss-code-scan-action",
   "description": "SCANOSS Code Scan Action",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "author": "SCANOSS",
   "private": true,
   "homepage": "https://github.com/scanoss/code-scan-action/",

From 4257f05802b82b6db0254ef05a1c7b402a7fa6db Mon Sep 17 00:00:00 2001
From: Agustin Groh <agusgroh@gmail.com>
Date: Mon, 30 Mar 2026 09:52:50 -0300
Subject: [PATCH 3/3] chore(scanoss): add scanoss.json file

---
 sbom.json    |  7 -------
 scanoss.json | 12 ++++++++++++
 2 files changed, 12 insertions(+), 7 deletions(-)
 delete mode 100644 sbom.json
 create mode 100644 scanoss.json

diff --git a/sbom.json b/sbom.json
deleted file mode 100644
index 7f49028..0000000
--- a/sbom.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
-    "components": [
-        {
-            "purl": "pkg:github/scanoss/code-scan-action"
-        }
-    ]
-}
\ No newline at end of file
diff --git a/scanoss.json b/scanoss.json
new file mode 100644
index 0000000..03fcaf3
--- /dev/null
+++ b/scanoss.json
@@ -0,0 +1,12 @@
+{
+  "bom": {
+    "include": [
+      {
+        "purl": "pkg:github/scanoss/gha-code-scan"
+      },
+      {
+        "purl": "pkg:github/plinioh/setup-binary-action"
+      }
+    ]
+  }
+}
\ No newline at end of file