From cd3449d193eda991fcffc3a10616345bba261564 Mon Sep 17 00:00:00 2001
From: Gerardo Di Giacomo <gerardo@aptoslabs.com>
Date: Mon, 14 Aug 2023 12:53:24 -0700
Subject: [PATCH] Update workflows (#9650)

* Update semgrep.yaml to also run daily

* update semgrep rule

* fix workflows

* Update .github/workflows/semgrep.yaml

Co-authored-by: Balaji Arun <balaji@aptoslabs.com>

---------

Co-authored-by: Balaji Arun <balaji@aptoslabs.com>
---
 .../semgrep/pull-request-target-code-checkout.yaml       | 9 +++++++++
 .github/workflows/docker-build-test.yaml                 | 1 +
 .github/workflows/semgrep.yaml                           | 2 ++
 .github/workflows/ts-sdk-e2e-tests.yaml                  | 1 +
 4 files changed, 13 insertions(+)

diff --git a/.github/linters/semgrep/pull-request-target-code-checkout.yaml b/.github/linters/semgrep/pull-request-target-code-checkout.yaml
index 1348d505f6c36..a6186a753ab37 100644
--- a/.github/linters/semgrep/pull-request-target-code-checkout.yaml
+++ b/.github/linters/semgrep/pull-request-target-code-checkout.yaml
@@ -47,6 +47,15 @@ rules:
             ...
             $JOBNAME:
               ...
+      - pattern-not-inside: |
+          needs: [..., permission-check, ...]
+          ...
+      - pattern-not-inside: |
+          needs:
+            ...
+            - permission-check
+            ...
+          ...
       - pattern-not-inside: |
           needs: [permission-check]
           ...
diff --git a/.github/workflows/docker-build-test.yaml b/.github/workflows/docker-build-test.yaml
index 6a7f0f15c4027..0d373bc32a036 100644
--- a/.github/workflows/docker-build-test.yaml
+++ b/.github/workflows/docker-build-test.yaml
@@ -111,6 +111,7 @@ jobs:
 
   # This job determines which files were changed
   file_change_determinator:
+    needs: [permission-check]
     runs-on: ubuntu-latest
     outputs:
       only_docs_changed: ${{ steps.determine_file_changes.outputs.only_docs_changed }}
diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml
index 320f35904f60e..9505c7b3b2b9c 100644
--- a/.github/workflows/semgrep.yaml
+++ b/.github/workflows/semgrep.yaml
@@ -4,6 +4,8 @@ on:
   workflow_dispatch:
   pull_request:
     types: [labeled, opened, synchronize, reopened, auto_merge_enabled]
+  schedule:
+    - cron: '0 * * * *'
 
 jobs:
   semgrep:
diff --git a/.github/workflows/ts-sdk-e2e-tests.yaml b/.github/workflows/ts-sdk-e2e-tests.yaml
index 8a4b53419af29..1a9c168e5dbbf 100644
--- a/.github/workflows/ts-sdk-e2e-tests.yaml
+++ b/.github/workflows/ts-sdk-e2e-tests.yaml
@@ -34,6 +34,7 @@ jobs:
 
   # This job determines which files were changed
   file_change_determinator:
+    needs: [permission-check]
     runs-on: ubuntu-latest
     outputs:
       only_docs_changed: ${{ steps.determine_file_changes.outputs.only_docs_changed }}