ci: right-size OpenGrep PR scan

* ci: right-size opengrep pr scan * ci: avoid opengrep rulepack self-scan * ci: opt opengrep workflows into node24 actions * ci: update opengrep workflow action majors
2026-05-06 12:40:43 +00:00 · 2026-04-30 01:52:12 -07:00
parent d50ad19e4b
commit 005eeca06f
3 changed files with 26 additions and 6 deletions
--- a/.github/workflows/opengrep-precise-full.yml
+++ b/.github/workflows/opengrep-precise-full.yml
@@ -11,6 +11,9 @@ concurrency:
  group: opengrep-full-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
 permissions:
  contents: read
  security-events: write
@@ -22,7 +25,7 @@ jobs:
    timeout-minutes: 30
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          persist-credentials: false

@@ -50,7 +53,7 @@ jobs:
          scripts/run-opengrep.sh --sarif --error

      - name: Upload SARIF to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
        # Only upload if the scan actually produced a SARIF file.
        if: always() && hashFiles('.opengrep-out/precise.sarif') != ''
        with: