This repository has been archived by the owner on Apr 9, 2024. It is now read-only.
chore(deps): bump returntocorp/semgrep from 1.36.0 to 1.62.0 #1846
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: tests | |
on: | |
pull_request: | |
push: | |
branches: [develop] | |
jobs: | |
pytest: | |
name: run pytest | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
python-version: ["3.10"] | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
persist-credentials: false | |
- name: Setup Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v3 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Setup poetry | |
run: pipx install poetry==1.2.0 | |
- id: setup-package-managers | |
name: Setup package managers | |
run: | | |
poetry config virtualenvs.in-project true | |
echo "installed-semgrep-version=$(sed --quiet --regexp-extended 's/^FROM returntocorp[/]semgrep:(.+)$/\1/p' Dockerfile)" >> $GITHUB_OUTPUT | |
- id: reuse-poetry-virtualenv | |
name: Reuse poetry's virtualenv | |
uses: actions/cache@v2.1.7 | |
with: | |
path: .venv | |
key: ${{ runner.os }}-${{ matrix.python-version }}-poetry-${{ hashFiles('**/poetry.lock') }} | |
# install semgrep first so that errors are more obvious if agent dependencies conflict | |
- name: Install semgrep | |
run: pipx install semgrep==${{ steps.setup-package-managers.outputs.installed-semgrep-version }} | |
- name: Install dependencies | |
run: poetry install --no-root | |
if: steps.reuse-poetry-virtualenv.outputs.cache-hit != 'true' | |
- name: Install semgrep-agent | |
run: poetry install | |
- name: Run pytest | |
run: | | |
# tests should simulate CI environment iff they need one | |
unset CI | |
unset "${!GITHUB_@}" | |
poetry run python tests/acceptance/qa.py | |
if git status -s -- tests/acceptance/ | grep M; then | |
echo "snapshot changes found" | |
exit 1 | |
else | |
echo "no snapshot changes found" | |
exit 0 | |
fi | |
- name: Configure git creds for push | |
id: configure-creds | |
if: failure() && github.event_name == 'pull_request' && (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository)) | |
run: | | |
echo "machine github.com" >> ~/.netrc | |
echo "login ${{ github.repository }}" >> ~/.netrc | |
echo "password ${{ secrets.GITHUB_TOKEN }}" >> ~/.netrc | |
- name: Commit snapshot updates | |
id: snapshot-commit | |
if: failure() && github.event_name == 'pull_request' && (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository)) | |
uses: EndBug/add-and-commit@v9 | |
with: | |
add: tests/acceptance | |
default_author: github_actions | |
message: "Update pytest snapshots" | |
new_branch: snapshot-updates-${{ github.run_id }}-${{ github.run_attempt }} | |
- name: Remove Credentials | |
id: remove-creds | |
if: failure() && github.event_name == 'pull_request' && (github.actor != 'dependabot[bot]' && !(github.event.pull_request.head.repo.full_name != github.repository)) | |
run: rm ~/.netrc | |
- name: Comment about any snapshot updates | |
if: failure() && steps.snapshot-commit.outputs.pushed == 'true' | |
run: | | |
echo ":camera_flash: The pytest shapshots changed in your PR." >> /tmp/message.txt | |
echo "Please carefully review these changes and make sure they are intended:" >> /tmp/message.txt | |
echo >> /tmp/message.txt | |
echo "1. Review the changes at https://github.com/returntocorp/semgrep-action/commit/${{ steps.snapshot-commit.outputs.commit_long_sha }}" >> /tmp/message.txt | |
echo "2. Accept the new snapshots with" >> /tmp/message.txt | |
echo >> /tmp/message.txt | |
echo " git fetch origin && git cherry-pick ${{ steps.snapshot-commit.outputs.commit_sha }} && git push" >> /tmp/message.txt | |
gh pr comment ${{ github.event.pull_request.number }} --body-file /tmp/message.txt | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
live-runs: | |
name: live run of action on this repo | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
persist-credentials: false | |
- id: semgrep-app-config | |
name: with semgrep-app connection | |
uses: ./tests/local-image-action | |
with: | |
publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} | |
- id: semgrep-live-registry-id | |
name: with a semgrep.live Registry ID | |
uses: ./tests/local-image-action | |
with: | |
config: r/python.jwt | |
- id: semgrep-live-ruleset-id | |
name: with a semgrep.live Ruleset ID | |
uses: ./tests/local-image-action | |
with: | |
config: p/r2c-CI | |
- id: semgrep-live-id | |
name: with a semgrep.live Rule ID | |
uses: ./tests/local-image-action | |
with: | |
config: s/QKP |