bebed09677
Trusted Supply Chain Component Registry (TSCCR) enforcement starts Monday and an internal report shows our semgrep action is pinned to a version that's not currently permitted. Update all the action versions to whatever's the new hotness to maximum the time-to-live on these until we have automated pinning setup. Also version bumps our chromedriver action, which randomly broke upstream today.
22 lines
552 B
YAML
22 lines
552 B
YAML
name: Semgrep
|
|
|
|
on:
|
|
pull_request: {}
|
|
# Skipping push for now since it would run against the entire code base.
|
|
# push:
|
|
|
|
jobs:
|
|
semgrep:
|
|
name: Semgrep Scan
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
SEMGREP_SEND_METRICS: 0
|
|
# Skip any PR created by dependabot to avoid permission issues
|
|
if: (github.actor != 'dependabot[bot]')
|
|
steps:
|
|
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
- uses: returntocorp/semgrep-action@245bf11ddb2f3d4e35f116608cf6e27ae0f9aa04 # v1
|
|
permissions:
|
|
contents: read
|
|
|