ci: right-size OpenGrep PR scan

* ci: right-size opengrep pr scan * ci: avoid opengrep rulepack self-scan * ci: opt opengrep workflows into node24 actions * ci: update opengrep workflow action majors
2026-05-06 16:20:43 +00:00 · 2026-04-30 01:52:12 -07:00
parent d50ad19e4b
commit 005eeca06f
3 changed files with 26 additions and 6 deletions
--- a/scripts/run-opengrep.sh
+++ b/scripts/run-opengrep.sh
@@ -127,7 +127,9 @@ if (( PATHS_PASSED == 0 )); then
      } | awk '/^(security\/opengrep\/|scripts\/run-opengrep\.sh$|\.semgrepignore$|\.github\/workflows\/opengrep-)/ { print }' | sort -u
    )
    if (( ${#SCAN_PATHS[@]} == 0 && ${#RULEPACK_CHANGED_PATHS[@]} > 0 )); then
-      SCAN_PATHS=( "security/opengrep/precise.yml" )
+      # Exercise rulepack loading without scanning the compiled YAML, which contains
+      # rule pattern literals that can match themselves.
+      SCAN_PATHS=( "scripts/run-opengrep.sh" )
    fi
    if (( ${#SCAN_PATHS[@]} == 0 )); then
      echo "→ No changed first-party paths for opengrep." >&2