2024-10-05 05:02:46 +08:00
|
|
|
name: semgrep ci
|
2024-10-03 06:52:45 +08:00
|
|
|
|
|
|
|
on:
|
2024-10-05 05:02:46 +08:00
|
|
|
workflow_run:
|
|
|
|
workflows: ["trigger-semgrep"]
|
|
|
|
types:
|
|
|
|
- completed
|
|
|
|
|
2024-10-03 06:52:45 +08:00
|
|
|
env:
|
|
|
|
CI: true
|
|
|
|
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
|
|
|
|
|
|
|
|
concurrency:
|
2024-10-05 05:02:46 +08:00
|
|
|
group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
|
|
|
|
cancel-in-progress: true
|
2024-10-03 06:52:45 +08:00
|
|
|
|
|
|
|
permissions: {}
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
semgrep:
|
|
|
|
permissions:
|
2024-10-05 05:02:46 +08:00
|
|
|
contents: read
|
2024-10-03 06:52:45 +08:00
|
|
|
name: semgrep/ci
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
container:
|
|
|
|
image: semgrep/semgrep
|
2024-10-06 07:38:52 +08:00
|
|
|
options: --volume ${{ github.workspace }}/.github/configs:/mnt/ --name semgrepcontainer
|
2024-10-03 07:11:50 +08:00
|
|
|
outputs:
|
2024-10-05 05:02:46 +08:00
|
|
|
pr_number: ${{ steps.json.outputs.pr_number }}
|
|
|
|
sha: ${{ steps.json.outputs.sha }}
|
2024-10-03 06:52:45 +08:00
|
|
|
if: (github.actor != 'dependabot[bot]')
|
|
|
|
steps:
|
2024-10-03 07:11:50 +08:00
|
|
|
- name: Download artifact
|
|
|
|
uses: actions/download-artifact@v4
|
|
|
|
with:
|
|
|
|
name: changes
|
|
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
run-id: ${{ github.event.workflow_run.id }}
|
|
|
|
- uses: gradio-app/github/actions/json-to-output@main
|
|
|
|
id: json
|
|
|
|
with:
|
2024-10-05 05:02:46 +08:00
|
|
|
path: output.json
|
2024-10-03 06:52:45 +08:00
|
|
|
- uses: actions/checkout@v4
|
|
|
|
with:
|
2024-10-03 07:11:50 +08:00
|
|
|
repository: ${{ steps.json.outputs.source_repo }}
|
|
|
|
ref: ${{ steps.json.outputs.sha }}
|
2024-10-06 07:38:52 +08:00
|
|
|
- name: restart docker
|
2024-10-06 07:33:22 +08:00
|
|
|
uses: docker://docker
|
|
|
|
with:
|
2024-10-06 07:47:50 +08:00
|
|
|
args: docker restart semgrepcontainer
|
|
|
|
- run: ls -la /mnt
|
2024-10-06 07:17:28 +08:00
|
|
|
- run: semgrep ci --config=/mnt/semgrep_rules.yaml
|
2024-10-03 06:52:45 +08:00
|
|
|
update-status:
|
|
|
|
permissions:
|
|
|
|
actions: read
|
|
|
|
statuses: write
|
|
|
|
runs-on: ubuntu-latest
|
2024-10-03 07:11:50 +08:00
|
|
|
needs: semgrep
|
2024-10-03 06:52:45 +08:00
|
|
|
steps:
|
|
|
|
- name: update status
|
|
|
|
uses: gradio-app/github/actions/commit-status@main
|
|
|
|
with:
|
2024-10-03 07:11:50 +08:00
|
|
|
sha: ${{ needs.semgrep.outputs.sha }}
|
2024-10-03 06:52:45 +08:00
|
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
name: "Semgrep Results"
|
2024-10-03 07:11:50 +08:00
|
|
|
pr: ${{ needs.semgrep.outputs.pr_number }}
|
2024-10-03 06:52:45 +08:00
|
|
|
result: ${{ needs.semgrep.result == 'success' && 'success' || 'failure' }}
|
2024-10-05 05:02:46 +08:00
|
|
|
type: all
|