Skip to content

Update semgrep.yml

Update semgrep.yml #7

Workflow file for this run

name: Artikodin pull-request handler
on:
# Runs on a pull request for the main branch (we use
# 'pull_request_target' instead of 'pull_request' so
# it also works for forks, since the secrets would
# otherwise not be available for forks.
pull_request_target:
types:
# Default events
- opened
- synchronize
- reopened
# But we also want to make sure a potential
# exception request pull request is getting
# closed if any was open
- closed
branch:
- main
# This does not work on forks, we are duplicating
# the 'closed' call here because it does not seem
# to behave as expected for `pull_request_target`.
pull_request:
types:
- closed
# Runs on a merge group build
merge_group:
types:
- checks_requested
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: false
jobs:
handle:
name: Run Artikodin handler
runs-on: ubuntu-latest
steps:
- name: Getting an app token if Artikodin is available
env:
ARTIKODIN_CONTROLLER_APP_ID: ${{ secrets.ARTIKODIN_CONTROLLER_APP_ID }}
ARTIKODIN_CONTROLLER_PRIVATE_KEY: ${{ secrets.ARTIKODIN_CONTROLLER_PRIVATE_KEY }}
ARTIKODIN_CONTENTS_APP_ID: ${{ secrets.ARTIKODIN_CONTENTS_APP_ID }}
ARTIKODIN_CONTENTS_PRIVATE_KEY: ${{ secrets.ARTIKODIN_CONTENTS_PRIVATE_KEY }}
if: ${{ env.ARTIKODIN_CONTROLLER_APP_ID != '' && env.ARTIKODIN_CONTROLLER_PRIVATE_KEY != '' && env.ARTIKODIN_CONTENTS_APP_ID != '' && env.ARTIKODIN_CONTENTS_PRIVATE_KEY != '' }}
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.ARTIKODIN_CONTENTS_APP_ID }}
private-key: ${{ secrets.ARTIKODIN_CONTENTS_PRIVATE_KEY }}
owner: temporalio
repositories: artikodin
- name: Checkout Artikodin
if: ${{ steps.app-token.outputs.token != '' }}
uses: actions/checkout@v4
with:
repository: temporalio/artikodin
ref: main
token: ${{ steps.app-token.outputs.token }}
persist-credentials: false
- name: Synchronize authorization
if: ${{ steps.app-token.outputs.token != '' }}
uses: ./request
with:
skip-checkout: true
contents-app-id: ${{ secrets.ARTIKODIN_CONTENTS_APP_ID }}
contents-private-key: ${{ secrets.ARTIKODIN_CONTENTS_PRIVATE_KEY }}
controller-app-id: ${{ secrets.ARTIKODIN_CONTROLLER_APP_ID }}
controller-private-key: ${{ secrets.ARTIKODIN_CONTROLLER_PRIVATE_KEY }}
target-repository: "${{ github.repository }}"
target-pull-request: "${{ github.event.pull_request.number }}"
target-merge-group-head-ref: "${{ github.event.merge_group.head_ref }}"
target-git-sha: "${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }}"
closing-pr: ${{ github.event.action == 'closed' }}