mirror of
https://github.com/cloudflare/cloudflare-docs.git
synced 2026-01-11 20:06:58 +00:00
71 lines
2.9 KiB
YAML
71 lines
2.9 KiB
YAML
on:
|
|
workflow_dispatch: {}
|
|
schedule:
|
|
- cron: "0 4 * * *"
|
|
pull_request: {}
|
|
|
|
name: Semgrep rules checking results
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
semgrep:
|
|
name: Semgrep
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
|
|
SEMGREP_URL: https://cloudflare.semgrep.dev
|
|
SEMGREP_APP_URL: https://cloudflare.semgrep.dev
|
|
SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
|
|
container:
|
|
image: semgrep/semgrep
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
# fetch full history so Semgrep can compare against the base branch
|
|
fetch-depth: 0
|
|
|
|
# Configure
|
|
# add git safe directory to enable git commands on checkout path
|
|
# set COMMIT_MESSAGE environment variable to be able to skip semgrep if requested
|
|
- name: Configure
|
|
run: |
|
|
git config --global --add safe.directory $PWD
|
|
echo "COMMIT_MESSAGE='$(git log --format=%B -n 1 ${{ github.event.pull_request.head.sha }} | sed "s/\"/'/g" | tr "\n" " ") '" | tee /dev/stderr >> "$GITHUB_ENV"
|
|
echo "(if the last commit message contains '[skip style guide checks]' Semgrep style guide rule checks will be skipped)"
|
|
|
|
# Semgrep CI to run on Schedule (Cron) or Manual Dispatch
|
|
# scans using managed rules at cloudflare.semgrep.dev
|
|
- name: Semgrep managed rules (managed at cloudflare.semgrep.dev)
|
|
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
|
|
run: semgrep ci
|
|
|
|
# Semgrep Scan to run on Pull Request events
|
|
# scans using rules inside the .semgrep/ folder and fails on error
|
|
# include [skip semgrep] in top-most commit message to skip scan
|
|
- name: Semgrep style guide rules (stored in .semgrep/)
|
|
shell: bash
|
|
if: github.event_name == 'pull_request' && !contains(env.COMMIT_MESSAGE, '[skip style guide checks]')
|
|
run: |
|
|
|
|
echo "env.COMMIT_MESSAGE: ${{ env.COMMIT_MESSAGE }}"
|
|
|
|
base_commit=$(git merge-base HEAD origin/$GITHUB_BASE_REF)
|
|
git diff $base_commit... --diff-filter=ACMRT --name-only | grep -E '\.(htm|html|yaml|yml|md|mdx)$' > tools/relevant_changed_files.txt || true
|
|
|
|
# Check if file list is empty to prevent errors
|
|
if [ -s tools/relevant_changed_files.txt ]; then
|
|
list_of_files=$(cat tools/relevant_changed_files.txt | tr '\n' ' ')
|
|
semgrep scan \
|
|
--config .semgrep --metrics=off \
|
|
--include "*.mdx" --include "*.mdx" \
|
|
--error \
|
|
--json \
|
|
$list_of_files \
|
|
| jq --raw-output ".results[] | \"::warning file=\(.path),line=\(.start.line),title=\(.check_id)::\(.extra.message)\""
|
|
#exit ${PIPESTATUS[0]}
|
|
# for the moment always return a successful run
|
|
exit 0
|
|
else
|
|
echo "No relevant files changed"
|
|
fi
|