From 005eeca06f3cf29a80d42814be5001912e30e133 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Thu, 30 Apr 2026 01:52:12 -0700 Subject: [PATCH] ci: right-size OpenGrep PR scan * ci: right-size opengrep pr scan * ci: avoid opengrep rulepack self-scan * ci: opt opengrep workflows into node24 actions * ci: update opengrep workflow action majors --- .github/workflows/opengrep-precise-full.yml | 7 +++++-- .github/workflows/opengrep-precise.yml | 21 ++++++++++++++++++--- scripts/run-opengrep.sh | 4 +++- 3 files changed, 26 insertions(+), 6 deletions(-) diff --git a/.github/workflows/opengrep-precise-full.yml b/.github/workflows/opengrep-precise-full.yml index 834f4135e7f..19dff393a5e 100644 --- a/.github/workflows/opengrep-precise-full.yml +++ b/.github/workflows/opengrep-precise-full.yml @@ -11,6 +11,9 @@ concurrency: group: opengrep-full-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false +env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" + permissions: contents: read security-events: write @@ -22,7 +25,7 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: persist-credentials: false @@ -50,7 +53,7 @@ jobs: scripts/run-opengrep.sh --sarif --error - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 # Only upload if the scan actually produced a SARIF file. if: always() && hashFiles('.opengrep-out/precise.sarif') != '' with: diff --git a/.github/workflows/opengrep-precise.yml b/.github/workflows/opengrep-precise.yml index 5ee59c23258..c5eec261b61 100644 --- a/.github/workflows/opengrep-precise.yml +++ b/.github/workflows/opengrep-precise.yml @@ -9,11 +9,25 @@ name: OpenGrep — PR Diff on: pull_request: + types: [opened, synchronize, reopened, ready_for_review] + paths: + - ".github/workflows/opengrep-precise.yml" + - ".github/workflows/opengrep-precise-full.yml" + - ".semgrepignore" + - "apps/**" + - "extensions/**" + - "packages/**" + - "scripts/**" + - "security/opengrep/**" + - "src/**" concurrency: group: opengrep-pr-diff-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true +env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" + permissions: contents: read security-events: write @@ -21,11 +35,12 @@ permissions: jobs: scan: name: Scan changed paths (precise) - runs-on: blacksmith-16vcpu-ubuntu-2404 + if: ${{ !github.event.pull_request.draft }} + runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: persist-credentials: false # `scripts/run-opengrep.sh --changed` diffs base...HEAD. @@ -59,7 +74,7 @@ jobs: scripts/run-opengrep.sh --changed --sarif --error - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 # Only upload if the scan actually produced a SARIF file. if: always() && hashFiles('.opengrep-out/precise.sarif') != '' with: diff --git a/scripts/run-opengrep.sh b/scripts/run-opengrep.sh index 7300afbe559..a6efb91b9e0 100755 --- a/scripts/run-opengrep.sh +++ b/scripts/run-opengrep.sh @@ -127,7 +127,9 @@ if (( PATHS_PASSED == 0 )); then } | awk '/^(security\/opengrep\/|scripts\/run-opengrep\.sh$|\.semgrepignore$|\.github\/workflows\/opengrep-)/ { print }' | sort -u ) if (( ${#SCAN_PATHS[@]} == 0 && ${#RULEPACK_CHANGED_PATHS[@]} > 0 )); then - SCAN_PATHS=( "security/opengrep/precise.yml" ) + # Exercise rulepack loading without scanning the compiled YAML, which contains + # rule pattern literals that can match themselves. + SCAN_PATHS=( "scripts/run-opengrep.sh" ) fi if (( ${#SCAN_PATHS[@]} == 0 )); then echo "→ No changed first-party paths for opengrep." >&2