ci: right-size OpenGrep PR scan

* ci: right-size opengrep pr scan * ci: avoid opengrep rulepack self-scan * ci: opt opengrep workflows into node24 actions * ci: update opengrep workflow action majors
2026-05-06 05:10:44 +00:00 · 2026-04-30 01:52:12 -07:00
parent d50ad19e4b
commit 005eeca06f
3 changed files with 26 additions and 6 deletions
--- a/.github/workflows/opengrep-precise-full.yml
+++ b/.github/workflows/opengrep-precise-full.yml
@@ -11,6 +11,9 @@ concurrency:
  group: opengrep-full-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
 permissions:
  contents: read
  security-events: write
@@ -22,7 +25,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -50,7 +53,7 @@ jobs:
          scripts/run-opengrep.sh --sarif --error

      - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        # Only upload if the scan actually produced a SARIF file.
        if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
        with:
--- a/.github/workflows/opengrep-precise.yml
+++ b/.github/workflows/opengrep-precise.yml
@@ -9,11 +9,25 @@ name: OpenGrep — PR Diff

 on:
  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      - ".github/workflows/opengrep-precise.yml"
+      - ".github/workflows/opengrep-precise-full.yml"
+      - ".semgrepignore"
+      - "apps/**"
+      - "extensions/**"
+      - "packages/**"
+      - "scripts/**"
+      - "security/opengrep/**"
+      - "src/**"

 concurrency:
  group: opengrep-pr-diff-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
 permissions:
  contents: read
  security-events: write
@@ -21,11 +35,12 @@ permissions:
 jobs:
  scan:
    name: Scan changed paths (precise)
-    runs-on: blacksmith-16vcpu-ubuntu-2404
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
    timeout-minutes: 30
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          persist-credentials: false
          # `scripts/run-opengrep.sh --changed` diffs base...HEAD.
@@ -59,7 +74,7 @@ jobs:
          scripts/run-opengrep.sh --changed --sarif --error

      - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        # Only upload if the scan actually produced a SARIF file.
        if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
        with:
--- a/scripts/run-opengrep.sh
+++ b/scripts/run-opengrep.sh
@@ -127,7 +127,9 @@ if (( PATHS_PASSED == 0 )); then
      } | awk '/^(security\/opengrep\/|scripts\/run-opengrep\.sh$|\.semgrepignore$|\.github\/workflows\/opengrep-)/ { print }' | sort -u
    )
    if (( ${#SCAN_PATHS[@]} == 0 && ${#RULEPACK_CHANGED_PATHS[@]} > 0 )); then
-      SCAN_PATHS=( "security/opengrep/precise.yml" )
+      # Exercise rulepack loading without scanning the compiled YAML, which contains
+      # rule pattern literals that can match themselves.
+      SCAN_PATHS=( "scripts/run-opengrep.sh" )
    fi
    if (( ${#SCAN_PATHS[@]} == 0 )); then
      echo "→ No changed first-party paths for opengrep." >&2