Update Workflows overview page with use cases, revised code example and features #4146
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| workflow_dispatch: {} | |
| schedule: | |
| - cron: "0 4 * * *" | |
| pull_request: {} | |
| name: Semgrep rules checking results | |
| permissions: | |
| contents: read | |
| jobs: | |
| semgrep: | |
| name: Semgrep | |
| runs-on: ubuntu-latest | |
| env: | |
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | |
| SEMGREP_URL: https://cloudflare.semgrep.dev | |
| SEMGREP_APP_URL: https://cloudflare.semgrep.dev | |
| SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version | |
| container: | |
| image: semgrep/semgrep | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # fetch full history so Semgrep can compare against the base branch | |
| fetch-depth: 0 | |
| # Configure | |
| # add git safe directory to enable git commands on checkout path | |
| # set COMMIT_MESSAGE environment variable to be able to skip semgrep if requested | |
| - name: Configure | |
| run: | | |
| git config --global --add safe.directory $PWD | |
| echo "COMMIT_MESSAGE='$(git log --format=%B -n 1 ${{ github.event.pull_request.head.sha }} | sed "s/\"/'/g")'" | tee /dev/stderr >> "$GITHUB_ENV" | |
| echo "(if the last commit message contains '[skip style guide checks]' Semgrep style guide rule checks will be skipped)" | |
| # Semgrep CI to run on Schedule (Cron) or Manual Dispatch | |
| # scans using managed rules at cloudflare.semgrep.dev | |
| - name: Semgrep managed rules (managed at cloudflare.semgrep.dev) | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| run: semgrep ci | |
| # Semgrep Scan to run on Pull Request events | |
| # scans using rules inside the .semgrep/ folder and fails on error | |
| # include [skip semgrep] in top-most commit message to skip scan | |
| - name: Semgrep style guide rules (stored in .semgrep/) | |
| shell: bash | |
| if: github.event_name == 'pull_request' && !contains(env.COMMIT_MESSAGE, '[skip style guide checks]') | |
| run: | | |
| echo "env.COMMIT_MESSAGE: ${{ env.COMMIT_MESSAGE }}" | |
| base_commit=$(git merge-base HEAD origin/$GITHUB_BASE_REF) | |
| git diff $base_commit... --diff-filter=ACMRT --name-only | grep -E '\.(htm|html|yaml|yml|md|mdx)$' > tools/relevant_changed_files.txt || true | |
| # Check if file list is empty to prevent errors | |
| if [ -s tools/relevant_changed_files.txt ]; then | |
| list_of_files=$(cat tools/relevant_changed_files.txt | tr '\n' ' ') | |
| semgrep scan \ | |
| --config .semgrep --metrics=off \ | |
| --include "*.mdx" --include "*.mdx" \ | |
| --error \ | |
| --json \ | |
| $list_of_files \ | |
| | jq --raw-output ".results[] | \"::warning file=\(.path),line=\(.start.line),title=\(.check_id)::\(.extra.message)\"" | |
| exit ${PIPESTATUS[0]} | |
| else | |
| echo "No relevant files changed" | |
| fi |