Bump astral-sh/setup-uv from 5 to 6 in the major group #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| pull_request: | |
| name: Semgrep scan | |
| jobs: | |
| semgrep: | |
| # Skip any PR created by dependabot to avoid permission issues: | |
| if: (github.actor != 'dependabot[bot]') | |
| name: semgrep-oss/scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: read | |
| checks: write | |
| contents: read | |
| actions: write | |
| container: | |
| image: semgrep/semgrep | |
| steps: | |
| - run: /usr/bin/jq --version | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - run: | | |
| git clone https://github.com/trailofbits/semgrep-rules $HOME/semgrep-rules-tob | |
| git clone https://github.com/semgrep/semgrep-rules $HOME/semgrep-rules | |
| git -C $HOME/semgrep-rules reset --hard d1ac184a1eca88c71291ce29972ff46ea23547dc | |
| git -C $HOME/semgrep-rules-tob reset --hard cfff2e18a95c244691ee1b6493e39e3eda9354ef | |
| rm $HOME/semgrep-rules-tob/.github/workflows/update-semgrep-registry.yml | |
| rm $HOME/semgrep-rules/.pre-commit-config.yaml | |
| rm -rf $HOME/semgrep-rules-tob/.github | |
| rm -rf $HOME/semgrep-rules/.github | |
| rm -rf $HOME/semgrep-rules/stats | |
| - run: git config --global --add safe.directory $(pwd) | |
| - run: | | |
| semgrep scan --config $HOME/semgrep-rules --config $HOME/semgrep-rules-tob \ | |
| --metrics=off --experimental \ | |
| --exclude-rule=third-party-action-not-pinned-to-commit-sha \ | |
| --exclude-rule=detect-generic-ai-anthprop \ | |
| --exclude-rule=detect-generic-ai-api \ | |
| --exclude-rule=detect-generic-ai-gem \ | |
| --exclude-rule=detect-generic-ai-oai \ | |
| --exclude="*.html" --exclude="*.js" \ | |
| --baseline-commit=${{ github.event.pull_request.base.sha }} \ | |
| --json > /tmp/semgrep-results.json || true | |
| - name: Notice | |
| shell: bash | |
| run: | | |
| /usr/bin/jq -r '.results[] | |
| | . + { | |
| severity: ( | |
| if .extra.severity == "WARNING" then "warning" | |
| elif .extra.severity == "ERROR" then "error" | |
| else "notice" | |
| end | |
| ) | |
| } | |
| | "::\(.severity) file=\(.path),line=\(.start.line),col=\(.start.col),endLine=\(.end.line),endColumn=\(.end.col),title=\(.check_id)::\((.extra.message | |
| | gsub("[^a-zA-Z0-9 .]"; "") | |
| ))"' /tmp/semgrep-results.json | |
| # - name: Upload SARIF file | |
| # uses: github/codeql-action/upload-sarif@v2 | |
| # with: | |
| # # Path to SARIF file relative to the root of the repository | |
| # sarif_file: /tmp/semgrep-results.sarif | |
| # if: always() | |