name: Semgrep

on:
  pull_request: {}
  # Skipping push for now since it would run against the entire code base.
  # push:

jobs:
  semgrep-validate:
    name: Semgrep Validate
    if: (github.actor != 'dependabot[bot]')
    runs-on: ubuntu-22.04
    container:
      image: returntocorp/semgrep:1.107.0
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: semgrep --metrics=off --validate --config=.semgrep/

  semgrep:
    name: Semgrep Scan
    needs: [semgrep-validate]
    runs-on: ubuntu-22.04
    container:
      image: returntocorp/semgrep:1.107.0
    env:
      SEMGREP_SEND_METRICS: off
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: semgrep ci --config=.semgrep/

permissions:
  contents: read