fork of https://github.com/sourcegraph/zoekt
chore: old gh action cleanup (#1056)
author
Andre Eleuterio
committer
GitHub
date
(May 7, 2026, 12:37 PM +0200)
commit
f89f0c5d
f89f0c5df331c62d08ed03873c79d05db1a7b5f6
parent
5baf7e20
5baf7e20587e1b6ad0195742e439494b91aa1cb7
-37
-37
.github/workflows/semgrep.yml
-37
.github/workflows/semgrep.yml
···
1
-
name: Semgrep - SAST Scan
2
-
3
-
on:
4
-
pull_request_target:
5
-
types: [ closed, edited, opened, synchronize, ready_for_review ]
6
-
7
-
jobs:
8
-
semgrep:
9
-
permissions:
10
-
contents: read # for actions/checkout to fetch code
11
-
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
12
-
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
13
-
runs-on: ubuntu-latest
14
-
container:
15
-
image: returntocorp/semgrep
16
-
17
-
steps:
18
-
- uses: actions/checkout@v6
19
-
with:
20
-
ref: ${{ github.event.pull_request.head.ref }}
21
-
repository: ${{ github.event.pull_request.head.repo.full_name }}
22
-
23
-
- name: Checkout semgrep-rules repo
24
-
uses: actions/checkout@v6
25
-
with:
26
-
repository: sourcegraph/security-semgrep-rules
27
-
token: ${{ secrets.GH_SEMGREP_SAST_TOKEN }}
28
-
path: semgrep-rules
29
-
30
-
- name: Run Semgrep SAST Scan
31
-
run: |
32
-
mv semgrep-rules ../
33
-
semgrep ci -f ../semgrep-rules/semgrep-rules/ --metrics=off --oss-only --suppress-errors --sarif -o results.sarif --exclude='semgrep-rules' --baseline-commit "$(git merge-base main HEAD)" || true
34
-
- name: Upload SARIF file
35
-
uses: github/codeql-action/upload-sarif@v4
36
-
with:
37
-
sarif_file: results.sarif