Setup testing for our custom sermver rules (#13)

* Add a test case for our new test.

* First try and GitHub Action

* Make a dedicated testing directory to make it clear what are tests
and what are rules.

* quote all strings in the yaml files

* run ratchet on action_scanning.yml

Author: billnapier

.github/workflows/action_scanning.yml

@@ -1,48 +1,48 @@
 ### Required actions to scan GitHub action workflows for security issues.
-name: Scan GitHub Action workflows files for security issues
+name: 'Scan GitHub Action workflows files for security issues'
 
 on:
   pull_request: {}
 
 permissions:
-  contents: read
-  security-events: write
-  actions: read
+  contents: 'read'
+  security-events: 'write'
+  actions: 'read'
 
 jobs:
   semgrep:
-    name: semgrep-oss/scan
-    runs-on: ubuntu-latest
+    name: 'semgrep-oss/scan'
+    runs-on: 'ubuntu-latest'
 
     container:
-      image: semgrep/semgrep
+      image: 'index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89' # ratchet:semgrep/semgrep
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
 
     steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4    
-        
-      - name: Checkout Workflow Config
-        uses: actions/checkout@v4
+      - name: 'Checkout Code'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
+
+      - name: 'Checkout Workflow Config'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
         env:
           GH_REPO_OWNER: ${{ github.repository_owner }}
         with:
           repository: 'google/github-team'
           path: action_scanning
-    
-      - name: Run Actions semgrep scan
-        run: semgrep scan --sarif --config action_scanning/semgrep-rules/actions >> semgrep-results-actions.sarif
-    
-      - name: Save Actions SARIF results as artifact
-        uses: actions/upload-artifact@v4
+
+      - name: 'Run Actions semgrep scan'
+        run: 'semgrep scan --sarif --config action_scanning/semgrep-rules/actions >> semgrep-results-actions.sarif'
+
+      - name: 'Save Actions SARIF results as artifact'
+        uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
         with:
-          name: semgrep-scan-results-actions
-          path: semgrep-results-actions.sarif
-    
-      - name: Upload Actions SARIF result to the GitHub Security Dashboard
-        uses: github/codeql-action/upload-sarif@v3
+          name: 'semgrep-scan-results-actions'
+          path: 'semgrep-results-actions.sarif'
+
+      - name: 'Upload Actions SARIF result to the GitHub Security Dashboard'
+        uses: 'github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841' # ratchet:github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: semgrep-results-actions.sarif
+          sarif_file: 'semgrep-results-actions.sarif'
         if: always()

.github/workflows/semver_testing.yml

@@ -0,0 +1,27 @@
+### Ensure that our local testing always passes
+name: Run semver tests
+
+on:
+  pull_request: {}
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  semgrep-tests:
+    name: Run semgrep tests
+    runs-on: ubuntu-latest
+
+    container:
+      image: semgrep/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4    
+    
+      - name: Run Actions semgrep scan
+        run: semgrep --test --config semgrep-rules semgrep-tests

…/pull_request_target_needs_exception.yml …pull_request_target_needs_exception.yamlsemgrep-rules/actions/pull_request_target_needs_exception.yml renamed to semgrep-rules/actions/pull_request_target_needs_exception.yaml semgrep-rules/actions/pull_request_target_needs_exception.yml renamed to semgrep-rules/actions/pull_request_target_needs_exception.yaml

@@ -0,0 +1,3 @@
+on:
+  # ruleid: pull-request-target-needs-exception
+  pull_request_target: