diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index fbef8283..edc53fbd 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -1,7 +1,10 @@ name: govulncheck on: - pull_request_target: {} + pull_request: + types: + - opened + - synchronize push: branches: [main] schedule: @@ -15,6 +18,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha || github.ref }} + - name: Scan for Vulnerabilities in Code uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # pin@1.0.3 with: diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index e6424ef3..6321013d 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,8 +1,7 @@ name: Semgrep on: - merge_group: - pull_request_target: + pull_request: types: - opened - synchronize @@ -20,30 +19,22 @@ concurrency: cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} jobs: - authorize: - name: Authorize - environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} - runs-on: ubuntu-latest - steps: - - run: true - run: - needs: authorize # Require approval before running on forked pull requests - name: Check for Vulnerabilities runs-on: ubuntu-latest - container: image: returntocorp/semgrep steps: - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' - run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. - - uses: actions/checkout@v4 + - name: Checkout Code + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha || github.ref }} - - run: semgrep ci + - name: Run Semgrep + run: semgrep ci env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_TOKEN }}