Semgrep #240

	---
	# SPDX-FileCopyrightText: semgrep
	#
	# SPDX-License-Identifier: MIT
	#

	# Name of this GitHub Actions workflow.
	name: Semgrep

	on: # yamllint disable-line rule:truthy
	push:
	branches: [main, develop, release]

	pull_request:
	# The branches below must be a subset of the branches above
	types: [opened, synchronize, reopened]

	workflow_dispatch:

	schedule:
	- cron: "20 17 * * 4"

	permissions:
	contents: read

	concurrency:
	group: ${{ github.ref }}-${{ github.workflow }}
	cancel-in-progress: true

	jobs:
	semgrep:
	# Skip any PR created by dependabot to avoid permission issues:
	if: (github.actor != 'dependabot[bot]')
	name: semgrep/ci
	runs-on: ubuntu-latest
	permissions:
	contents: read # for actions/checkout to fetch code
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

	container:
	image: returntocorp/semgrep

	steps:
	- name: "🧰 Checkout Source Code"
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	# Skip any PR created by dependabot to avoid permission issues;
	if: (github.actor != 'dependabot[bot]')

	- name: Run semgrep ci
	run: semgrep ci --sarif --output=semgrep.sarif
	env:
	SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

	# Upload the results to GitHub's code scanning dashboard.
	- name: "Upload to code-scanning"
	uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
	with:
	sarif_file: semgrep.sarif
	if: always()

Provide feedback