| name: semgrep ci | |
| on: | |
| workflow_run: | |
| workflows: ["trigger-semgrep"] | |
| types: | |
| - completed | |
| env: | |
| CI: true | |
| PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1" | |
| concurrency: | |
| group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}" | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| semgrep: | |
| permissions: | |
| contents: read | |
| name: semgrep/ci | |
| runs-on: ubuntu-latest | |
| container: | |
| image: semgrep/semgrep | |
| options: --volume ${{ github.workspace }}/.github/configs:/mnt/ --name semgrepcontainer | |
| outputs: | |
| pr_number: ${{ steps.json.outputs.pr_number }} | |
| sha: ${{ steps.json.outputs.sha }} | |
| if: (github.actor != 'dependabot[bot]') | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: changes | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - uses: gradio-app/github/actions/json-to-output@main | |
| id: json | |
| with: | |
| path: output.json | |
| - uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ steps.json.outputs.source_repo }} | |
| ref: ${{ steps.json.outputs.sha }} | |
| - name: restart docker | |
| uses: docker://docker | |
| with: | |
| args: docker restart semgrepcontainer | |
| - run: ls -la /mnt | |
| - run: semgrep ci --config=/mnt/semgrep_rules.yaml | |
| update-status: | |
| permissions: | |
| actions: read | |
| statuses: write | |
| runs-on: ubuntu-latest | |
| needs: semgrep | |
| steps: | |
| - name: update status | |
| uses: gradio-app/github/actions/commit-status@main | |
| with: | |
| sha: ${{ needs.semgrep.outputs.sha }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| name: "Semgrep Results" | |
| pr: ${{ needs.semgrep.outputs.pr_number }} | |
| result: ${{ needs.semgrep.result == 'success' && 'success' || 'failure' }} | |
| type: all | |