gradio/.github/workflows/semgrep.yml

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

69 lines
1.9 KiB
YAML
Raw Normal View History

name: semgrep ci
on:
workflow_run:
workflows: ["trigger-semgrep"]
types:
- completed
env:
CI: true
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
concurrency:
group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
cancel-in-progress: true
permissions: {}
jobs:
semgrep:
permissions:
contents: read
name: semgrep/ci
runs-on: ubuntu-latest
container:
image: semgrep/semgrep
options: --volume ${{ github.workspace }}/.github/configs:/mnt/ --name semgrepcontainer
outputs:
pr_number: ${{ steps.json.outputs.pr_number }}
sha: ${{ steps.json.outputs.sha }}
if: (github.actor != 'dependabot[bot]')
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: changes
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
- uses: gradio-app/github/actions/json-to-output@main
id: json
with:
path: output.json
- uses: actions/checkout@v4
with:
repository: ${{ steps.json.outputs.source_repo }}
ref: ${{ steps.json.outputs.sha }}
- name: restart docker
uses: docker://docker
with:
args: docker restart semgrepcontainer
- run: ls -la /mnt
- run: semgrep ci --config=/mnt/semgrep_rules.yaml
update-status:
permissions:
actions: read
statuses: write
runs-on: ubuntu-latest
needs: semgrep
steps:
- name: update status
uses: gradio-app/github/actions/commit-status@main
with:
sha: ${{ needs.semgrep.outputs.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
name: "Semgrep Results"
pr: ${{ needs.semgrep.outputs.pr_number }}
result: ${{ needs.semgrep.result == 'success' && 'success' || 'failure' }}
type: all