From dde11de732d0d94e624074ee56072a3e2b50658a Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo Date: Mon, 14 Aug 2023 12:23:15 -0700 Subject: [PATCH 1/4] Update semgrep.yaml to also run daily --- .github/workflows/semgrep.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml index 320f35904f60e..c58acf6e30dd8 100644 --- a/.github/workflows/semgrep.yaml +++ b/.github/workflows/semgrep.yaml @@ -4,6 +4,8 @@ on: workflow_dispatch: pull_request: types: [labeled, opened, synchronize, reopened, auto_merge_enabled] + schedule: + - cron: '37 13 * * *' jobs: semgrep: From c5359169008d108abbb4cf7c9579a8529d468f18 Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo <19227040+gedigi@users.noreply.github.com> Date: Mon, 14 Aug 2023 12:43:26 -0700 Subject: [PATCH 2/4] update semgrep rule --- .../semgrep/pull-request-target-code-checkout.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/linters/semgrep/pull-request-target-code-checkout.yaml b/.github/linters/semgrep/pull-request-target-code-checkout.yaml index 1348d505f6c36..a6186a753ab37 100644 --- a/.github/linters/semgrep/pull-request-target-code-checkout.yaml +++ b/.github/linters/semgrep/pull-request-target-code-checkout.yaml @@ -47,6 +47,15 @@ rules: ... $JOBNAME: ... + - pattern-not-inside: | + needs: [..., permission-check, ...] + ... + - pattern-not-inside: | + needs: + ... + - permission-check + ... + ... - pattern-not-inside: | needs: [permission-check] ... From 3a1be231125af5f5ea5ac47601dd4ffbc41b64f9 Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo <19227040+gedigi@users.noreply.github.com> Date: Mon, 14 Aug 2023 12:44:55 -0700 Subject: [PATCH 3/4] fix workflows --- .github/workflows/docker-build-test.yaml | 1 + .github/workflows/ts-sdk-e2e-tests.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/docker-build-test.yaml b/.github/workflows/docker-build-test.yaml index 6a7f0f15c4027..0d373bc32a036 100644 --- a/.github/workflows/docker-build-test.yaml +++ b/.github/workflows/docker-build-test.yaml @@ -111,6 +111,7 @@ jobs: # This job determines which files were changed file_change_determinator: + needs: [permission-check] runs-on: ubuntu-latest outputs: only_docs_changed: ${{ steps.determine_file_changes.outputs.only_docs_changed }} diff --git a/.github/workflows/ts-sdk-e2e-tests.yaml b/.github/workflows/ts-sdk-e2e-tests.yaml index 8a4b53419af29..1a9c168e5dbbf 100644 --- a/.github/workflows/ts-sdk-e2e-tests.yaml +++ b/.github/workflows/ts-sdk-e2e-tests.yaml @@ -34,6 +34,7 @@ jobs: # This job determines which files were changed file_change_determinator: + needs: [permission-check] runs-on: ubuntu-latest outputs: only_docs_changed: ${{ steps.determine_file_changes.outputs.only_docs_changed }} From 60b20ca30eab3721c5e83219da9aa93e0546f984 Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo Date: Mon, 14 Aug 2023 12:51:53 -0700 Subject: [PATCH 4/4] Update .github/workflows/semgrep.yaml Co-authored-by: Balaji Arun --- .github/workflows/semgrep.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml index c58acf6e30dd8..9505c7b3b2b9c 100644 --- a/.github/workflows/semgrep.yaml +++ b/.github/workflows/semgrep.yaml @@ -5,7 +5,7 @@ on: pull_request: types: [labeled, opened, synchronize, reopened, auto_merge_enabled] schedule: - - cron: '37 13 * * *' + - cron: '0 * * * *' jobs: semgrep: