chore: Split sempgrep CI into OSS and pro

At the moment, pro is failing so this is an experiment to see if we can get the OSS version working. The rules they use and the results may differ too, so it might be worth having both.
maxmilton · Mar 5, 2025 · f437b37 · f437b37
1 parent 8af0564
commit f437b37
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
@@ -23,7 +23,7 @@ jobs:
       - uses: actions/checkout@v4
       - run: semgrep ci --sarif > semgrep.sarif
         env:
-          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+          SEMGREP_RULES: p/default
       - uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:

diff --git a/.github/workflows/semgrep-pro-analysis.yml b/.github/workflows/semgrep-pro-analysis.yml
@@ -0,0 +1,30 @@
+name: semgrep
+on:
+  push:
+    branches: [master, next]
+  pull_request: {}
+  workflow_dispatch: {}
+  schedule:
+    - cron: "28 6 * * 4"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.run_id }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    container:
+      image: semgrep/semgrep
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci --sarif > semgrep.sarif
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: semgrep.sarif