name: Semgrep

on:
  pull_request: {}
  # Skipping push for now since it would run against the entire code base.
  # push:

jobs:
  semgrep:
    name: Semgrep Scan
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep:1.36.0
    env:
      SEMGREP_SEND_METRICS: 0
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - run: semgrep ci --config=.semgrep/
permissions:
  contents: read