pysdk/.github/workflows/semgrep.yml at main · nebius/pysdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Name of this GitHub Actions workflow.
name: Semgrep

on:
  # Scan changed files in PRs (diff-aware scanning):
  pull_request: {}
  # Scan on-demand through GitHub Actions interface:
  workflow_dispatch: {}
  # Scan mainline branches if there are changes to .github/workflows/semgrep.yml:
  push:
    branches:
      - main
    paths:
      - .github/workflows/semgrep.yml
  # Schedule the CI job (this method uses cron syntax):
  schedule:
    - cron: '16 14 * * *' # Sets Semgrep to scan every day at 14:16 UTC

permissions:
  contents: read

jobs:
  semgrep:
    # User definable name of this GitHub Actions job.
    name: semgrep/ci
    # If you are self-hosting, change the following `runs-on` value:
    runs-on: ubuntu-latest

    container:
      # A Docker image with Semgrep installed. Do not change this.
      image: semgrep/semgrep

    # Skip any PR created by dependabot to avoid permission issues:
    if: (github.actor != 'dependabot[bot]')

    steps:
      # Fetch project source with GitHub Actions Checkout. Use either v3 or v4.
      - uses: actions/checkout@v6
      # Run the "semgrep ci" command on the command line of the docker image.
      - run: semgrep ci
        env:
          # Connect to Semgrep AppSec Platform through your SEMGREP_APP_TOKEN.
          # Generate a token from Semgrep AppSec Platform > Settings
          # and add it to your GitHub secrets.
          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

  notify-slack-on-failure:
    name: Notify Slack on failure
    # pull requests can not go unnoticed, so we only notify on failures
    # of the semgrep job for pushes and scheduled runs.
    if: ${{ failure() && github.event_name != 'pull_request' }}
    needs: [semgrep]
    runs-on: ubuntu-latest
    steps:
      - name: Post text to a Slack channel
        uses: slackapi/slack-github-action@v3.0.1
        with:
          method: chat.postMessage
          token: ${{ secrets.SLACK_OAUTH_TOKEN }}
          payload: |
            channel: ${{ secrets.SLACK_CHANNEL }}
            text: |
              🚨 Workflow *${{ github.workflow }}* failed on <${{ github.server_url }}/${{ github.repository }}|${{ github.repository }}>
              <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View run>