From 2ae4672d884b4c7550a4f6ede429f1d106928161 Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Thu, 26 Oct 2023 23:58:41 -0500 Subject: [PATCH 1/2] chore: Update GitHub CI workflows --- .github/dependabot.yml | 4 +++ .github/workflows/semgrep.yml | 50 ++++++++++++++++++++++++++--------- 2 files changed, 41 insertions(+), 13 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2f418ddf..401c6f16 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,7 @@ updates: directory: "/" schedule: interval: "daily" + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'daily' diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 1ba85e5f..36c687d8 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,25 +1,49 @@ -name: semgrep +name: Semgrep on: - pull_request_target: {} - + merge_group: + pull_request_target: + types: + - opened + - synchronize push: - branches: [main] - + branches: + - master schedule: - - cron: '30 0 1,15 * *' + - cron: "30 0 1,15 * *" + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} jobs: - scan: + authorize: + name: Authorize + environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} runs-on: ubuntu-latest + steps: + - run: true + + run: + needs: authorize # Require approval before running on forked pull requests + + name: Check for Vulnerabilities + runs-on: ubuntu-latest + container: image: returntocorp/semgrep - # Skip any PR created by dependabot to avoid permission issues - if: (github.actor != 'dependabot[bot]') steps: - - uses: actions/checkout@main - - name: Run Semgrep to check for vulnerabilities - run: semgrep ci + - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' + run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} + + - run: semgrep ci env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_TOKEN }} + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} From 41c5dad4dcde0fe9c92c8d4c0247e1ee23d6a5ae Mon Sep 17 00:00:00 2001 From: Ewan Harris Date: Fri, 27 Oct 2023 10:43:59 +0100 Subject: [PATCH 2/2] Apply suggestions from code review --- .github/workflows/semgrep.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 36c687d8..e6424ef3 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -8,7 +8,7 @@ on: - synchronize push: branches: - - master + - main schedule: - cron: "30 0 1,15 * *" @@ -46,4 +46,4 @@ jobs: - run: semgrep ci env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_TOKEN }}