name: Semgrep

on:
  pull_request: {}
  # Skipping push for now since it would run against the entire code base.
  # push:

jobs:
  semgrep:
    name: Semgrep Scan
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep:1.36.0
    env:
      SEMGREP_SEND_METRICS: 0
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: semgrep ci --config=.semgrep/
permissions:
  contents: read