ci: Update Workflows

Author: evansims

.github/workflows/semgrep.yml

@@ -38,12 +38,12 @@ jobs:
 
     steps:
       - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
-        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+        run: exit 0
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+          ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }}
 
       - run: semgrep ci
         env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+          SEMGREP_APP_TOKEN: ${{ secrets.DX_SDKS_SEMGREP_TOKEN }}

.github/workflows/snyk.yml

@@ -2,7 +2,6 @@ name: Snyk
 
 on:
   merge_group:
-  workflow_dispatch:
   pull_request_target:
     types:
       - opened
@@ -16,6 +15,12 @@ on:
 permissions:
   contents: read
 
+env:
+  DX_SDKS_SNYK_ORGANIZATION: 8303ea71-ac72-4ae6-9cd0-ae2f3eda82b7
+  DX_SDKS_SNYK_PROJECT: auth0/laravel-auth0
+  DX_SDKS_SNYK_TAGS: Refactoring-target:DX,Refactoring-origin:auth0-sdks
+  DX_SDKS_SNYK_REMOTE_REPO_URL: https://github.com/auth0/laravel-auth0
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
@@ -28,24 +33,56 @@ jobs:
     steps:
       - run: true
 
+  configure:
+    name: Configure
+    needs: [authorize]
+    runs-on: ubuntu-latest
+
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }}
+
+      - id: set-matrix
+        run: echo "matrix=$(jq -c . < ./.github/workflows/matrix.json)" >> $GITHUB_OUTPUT
+
   check:
-    needs: authorize
+    needs: [configure]
 
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 
     steps:
       - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
-        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+        run: exit 0
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+          ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }}
 
       - uses: ./.github/actions/setup
         with:
-          php: 8.1
+          php: ${{ fromJson(needs.configure.outputs.matrix).include[0].php }}
+
+      - run: npm install snyk -g
+
+      - if: github.ref == 'refs/heads/main'
+        run: snyk monitor --file=composer.lock --org=$SNYK_ORGANIZATION --project-name=$SNYK_PROJECT --project-tags=$SNYK_TAGS --remote-repo-url=$SNYK_REMOTE_REPO --target-reference="$(git branch --show-current)"
+        env:
+          SNYK_TOKEN: ${{ secrets.DX_SDKS_SNYK_TOKEN }}
+          SNYK_ORGANIZATION: ${{ env.DX_SDKS_SNYK_ORGANIZATION }}
+          SNYK_PROJECT: ${{ env.DX_SDKS_SNYK_PROJECT }}
+          SNYK_TAGS: ${{ env.DX_SDKS_SNYK_TAGS }}
+          SNYK_REMOTE_REPO: ${{ env.DX_SDKS_SNYK_REMOTE_REPO_URL }}
+        continue-on-error: true
 
-      - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0
+      - run: snyk test --file=composer.lock --org=$SNYK_ORGANIZATION --project-name=$SNYK_PROJECT --remote-repo-url=$SNYK_REMOTE_REPO
         env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          SNYK_TOKEN: ${{ secrets.DX_SDKS_SNYK_TOKEN }}
+          SNYK_ORGANIZATION: ${{ env.DX_SDKS_SNYK_ORGANIZATION }}
+          SNYK_PROJECT: ${{ env.DX_SDKS_SNYK_PROJECT }}
+          SNYK_TAGS: ${{ env.DX_SDKS_SNYK_TAGS }}
+          SNYK_REMOTE_REPO: ${{ env.DX_SDKS_SNYK_REMOTE_REPO_URL }}