Add Semgrep to CI (#9498)

* semgrep * Update semgrep.yml * ci
2025-04-12 12:40:29 +08:00 · 2024-10-02 15:52:45 -07:00 · 2024-10-02 15:52:45 -07:00 · 8ff76dbfcd
commit 8ff76dbfcd
parent a381c35785
1 changed files with 68 additions and 0 deletions
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -0,0 +1,68 @@
+name: Semgrep
+
+on:
+    workflow_run:
+        workflows: ["trigger-changeset"]
+        types:
+            - completed
+    
+env:
+  CI: true
+  PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
+
+concurrency:
+    group: "${{ github.event.workflow_run.head_repository.full_name }}-${{ github.event.workflow_run.head_branch }}-${{ github.workflow_ref }}"
+    cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  changes:
+    permissions:
+      contents: read
+      pull-requests: read
+    name: "changes"
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: ${{ steps.changes.outputs.should_run }}
+      sha: ${{ steps.changes.outputs.sha }}
+      source_branch: ${{ steps.changes.outputs.source_branch }}
+      source_repo: ${{ steps.changes.outputs.source_repo }}
+      pr_number: ${{ steps.changes.outputs.pr_number }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: "gradio-app/gradio/.github/actions/changes@main"
+        id: changes
+  semgrep:
+    permissions:
+        contents: read  
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    needs: changes
+    container:
+      image: semgrep/semgrep
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ needs.changes.outputs.source_repo }}
+          ref: ${{ needs.changes.outputs.sha }}
+      - run: semgrep ci
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN2 }}
+  update-status:
+    permissions:
+      actions: read
+      statuses: write
+    runs-on: ubuntu-latest
+    needs: [changes, semgrep]
+    steps:
+      - name: update status
+        uses: gradio-app/github/actions/commit-status@main
+        with:
+          sha: ${{ needs.changes.outputs.sha }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          name: "Semgrep Results"
+          pr: ${{ needs.changes.outputs.pr_number }}
+          result: ${{ needs.semgrep.result == 'success' && 'success' || 'failure' }}
+          type: all