Skip auto-open of the report in headless/CI runs (+ ADOQR_NO_OPEN)

ngtanthanh-qc · ngtanthanh-qc · commit ba56db0a0f6d · 2026-06-07T23:45:46.000+07:00
The end-of-run auto-open invoked the platform opener unconditionally. On a
headless agent (scheduled pipeline, container, CI) xdg-open is often absent or
fails with no display; under PowerShell 7.4 a missing/failing native command is
a terminating error, which the script's trap turns into a FATAL ERROR — failing
the run even though the assessment and reports succeeded.

Suppress auto-open in non-interactive contexts and make it best-effort:
- Add Test-ShouldAutoOpenReport, honoring ADOQR_NO_OPEN (parity with the Bash
  entry point) plus CI / TF_BUILD (GitHub Actions, Azure Pipelines).
- Wrap the opener in try/catch so a missing or failing opener degrades to a
  verbose message instead of a fatal error.
- Add Pester coverage, document ADOQR_NO_OPEN in the README, and record the
  change in CHANGELOG.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,8 +10,10 @@ and this project adheres to Semantic Versioning.
 ### Added
 - Executive summary now includes an Organization Extensions section that lists all extensions with Installed vs Default classification and installed-first ordering.
 - Top navigation now includes an Extensions anchor placed before Run Comparison for faster access to extension findings.
+- `ADOQR_NO_OPEN` environment variable to suppress auto-opening the executive report (parity with the Bash entry point).
 
 ### Fixed
+- Auto-opening the executive report is now skipped in non-interactive contexts (when `ADOQR_NO_OPEN` is set, or under CI/Azure Pipelines via `CI`/`TF_BUILD`) and wrapped so a missing or failing opener — e.g. no `xdg-open` on a headless agent — can no longer turn an otherwise successful assessment into a fatal error. This makes scheduled/container runs reliable.
 - Auto-opening the executive HTML report at the end of a run now uses the platform-native opener (`open` on macOS, `xdg-open` on Linux, `Start-Process` on Windows) instead of `Start-Process` for all platforms, which raised `Permission denied` on macOS/Linux because PowerShell tried to execute the `.html` file as a binary.
 - Pipeline Authorization Scope checks now evaluate effective scope using project/org pipeline settings (`enforceJobAuthScope` and `enforceJobAuthScopeForReleases`) before pipeline-level values, preventing false positives when scope is enforced at project level.
 - Organization policy checks now evaluate policy `value` (with safe casing/boolean normalization) and include the new helper functions in parallel runspace serialization, fixing false results for `OAUTH-02` (SSH Access Disabled) and aligning `OAUTH-01` with the actual policy state.
diff --git a/README.md b/README.md
@@ -92,7 +92,8 @@ az login
 
 Reports are saved to a timestamped subfolder under `assessments/`. The
 executive HTML summary auto-opens in your browser when the assessment
-completes.
+completes. Auto-opening is skipped automatically in CI and other
+non-interactive environments; set `ADOQR_NO_OPEN=1` to suppress it anywhere.
 
 If the Azure DevOps Azure CLI extension is not already installed, adoqr
 installs it automatically before the review starts.
diff --git a/invoke-adoqr.ps1 b/invoke-adoqr.ps1
@@ -5529,6 +5529,31 @@ function Import-AdoqrSettings {
     return $settings
 }
 
+function Test-ShouldAutoOpenReport {
+    <#
+    .SYNOPSIS
+        Decides whether the executive report should auto-open in a browser.
+    .DESCRIPTION
+        Auto-opening is meaningful only in an interactive desktop session. It is
+        suppressed when explicitly disabled via ADOQR_NO_OPEN or when running in
+        a non-interactive automation context (CI, scheduled pipelines,
+        containers), where launching a browser has no effect and can surface a
+        missing-opener error. ADOQR_NO_OPEN mirrors the Bash entry point.
+    .PARAMETER EnvironmentVariables
+        Hashtable of relevant environment variables (ADOQR_NO_OPEN, TF_BUILD,
+        CI). Injected for testability; callers pass the live $env: values.
+    #>
+    [CmdletBinding()]
+    param(
+        [hashtable]$EnvironmentVariables = @{}
+    )
+
+    if (-not [string]::IsNullOrWhiteSpace($EnvironmentVariables['ADOQR_NO_OPEN'])) { return $false }  # explicit opt-out
+    if (-not [string]::IsNullOrWhiteSpace($EnvironmentVariables['TF_BUILD']))      { return $false }  # Azure Pipelines
+    if (-not [string]::IsNullOrWhiteSpace($EnvironmentVariables['CI']))            { return $false }  # GitHub Actions & most CIs
+    return $true
+}
+
 #endregion
 
 #region Main
@@ -6238,15 +6263,33 @@ Write-Host ""
 
 Write-Progress -Activity "Assessment" -Completed
 
-# Auto-open the executive report in the default browser (cross-platform)
-if ($IsMacOS) {
-    & open $htmlReportPath
+# Auto-open the executive report in the default browser (cross-platform).
+# Skipped in non-interactive contexts (ADOQR_NO_OPEN, CI, scheduled pipelines,
+# containers); wrapped so a missing or failing opener never turns a successful
+# assessment into a fatal error.
+$openEnv = @{
+    ADOQR_NO_OPEN = $env:ADOQR_NO_OPEN
+    TF_BUILD      = $env:TF_BUILD
+    CI            = $env:CI
 }
-elseif ($IsLinux) {
-    & xdg-open $htmlReportPath
+if (Test-ShouldAutoOpenReport -EnvironmentVariables $openEnv) {
+    try {
+        if ($IsMacOS) {
+            & open $htmlReportPath
+        }
+        elseif ($IsLinux) {
+            & xdg-open $htmlReportPath
+        }
+        else {
+            Start-Process $htmlReportPath
+        }
+    }
+    catch {
+        Write-Verbose "Could not auto-open the executive report: $($_.Exception.Message)"
+    }
 }
 else {
-    Start-Process $htmlReportPath
+    Write-Verbose "Auto-open suppressed (ADOQR_NO_OPEN set or non-interactive/CI environment). Report: $htmlReportPath"
 }
 
 #endregion
diff --git a/tests/AutoOpen.Tests.ps1 b/tests/AutoOpen.Tests.ps1
@@ -0,0 +1,28 @@
+#Requires -Modules @{ ModuleName = 'Pester'; ModuleVersion = '5.0.0' }
+
+BeforeAll {
+    . $PSScriptRoot/_Bootstrap.ps1
+}
+
+Describe 'Test-ShouldAutoOpenReport' {
+    It 'opens when no suppressing environment variables are set' {
+        Test-ShouldAutoOpenReport -EnvironmentVariables @{} | Should -BeTrue
+    }
+
+    It 'suppresses when ADOQR_NO_OPEN is set' {
+        Test-ShouldAutoOpenReport -EnvironmentVariables @{ ADOQR_NO_OPEN = '1' } | Should -BeFalse
+    }
+
+    It 'suppresses under Azure Pipelines (TF_BUILD)' {
+        Test-ShouldAutoOpenReport -EnvironmentVariables @{ TF_BUILD = 'True' } | Should -BeFalse
+    }
+
+    It 'suppresses under generic CI (CI)' {
+        Test-ShouldAutoOpenReport -EnvironmentVariables @{ CI = 'true' } | Should -BeFalse
+    }
+
+    It 'treats empty/whitespace values as not set' {
+        Test-ShouldAutoOpenReport -EnvironmentVariables @{ ADOQR_NO_OPEN = ''; TF_BUILD = '   '; CI = $null } |
+            Should -BeTrue
+    }
+}
diff --git a/tests/_Bootstrap.ps1 b/tests/_Bootstrap.ps1
@@ -35,6 +35,7 @@ $wantedFns = @(
     'Get-AdoqrHeaderCss'
     'Get-AdoqrHeaderHtml'
     'Import-AdoqrSettings'
+    'Test-ShouldAutoOpenReport'
 )
 
 $funcs = $tree.FindAll({

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ $wantedFns = @(`
`35`	`35`	`'Get-AdoqrHeaderCss'`
`36`	`36`	`'Get-AdoqrHeaderHtml'`
`37`	`37`	`'Import-AdoqrSettings'`
	`38`	`+ 'Test-ShouldAutoOpenReport'`
`38`	`39`	`)`
`39`	`40`
`40`	`41`	`$funcs = $tree.FindAll({`