chore: update pre-commit to semgrep 1.94.0 #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow auto approves the PR generated by the bump_version | |
# workflow, and moves the tag that was created in the PR's branch | |
# to develop. | |
name: github-actions auto-approve | |
on: pull_request_target | |
permissions: | |
pull-requests: write | |
contents: write | |
jobs: | |
approve-bot: | |
runs-on: ubuntu-latest | |
if: ${{ github.event.pull_request.user.login == 'semgrep-ci[bot]'}} | |
steps: | |
- name: Approve | |
run: gh pr review --approve "$PR_URL" | |
env: | |
PR_URL: ${{ github.event.pull_request.html_url }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Watch untill PR checks are done | |
run: gh pr checks --required --watch "$PR_URL" | |
env: | |
PR_URL: ${{ github.event.pull_request.html_url }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Merge PR | |
run: gh pr merge --squash "$PR_URL" | |
env: | |
PR_URL: ${{ github.event.pull_request.html_url }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# Now we switch to semgrep-ci[bot] to actually be able to | |
# move the tag we created in bump_version.yml from the | |
# release branch to develop | |
- id: jwt | |
env: | |
EXPIRATION: 600 | |
ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }} | |
PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }} | |
name: Get JWT for semgrep-ci GitHub App | |
uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest | |
- id: token | |
name: Get token for semgrep-ci GitHub App | |
run: | | |
TOKEN="$(curl -X POST \ | |
-H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \ | |
-H "Accept: application/vnd.github.v3+json" \ | |
"https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \ | |
jq -r .token)" | |
echo "::add-mask::$TOKEN" | |
echo "token=$TOKEN" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v4 | |
with: | |
ref: develop | |
token: ${{ steps.token.outputs.token }} | |
- name: Move tag to develop branch | |
env: | |
GITHUB_TOKEN: ${{ steps.token.outputs.token }} | |
run: | | |
CURR_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/") | |
# We tagged the release branch first in bump_version.yml | |
# to allow tests to pass; now moving it to develop so | |
# it can be a part of its history | |
git push --delete origin "v${CURR_VERSION}" | |
git tag "v${CURR_VERSION}" HEAD | |
git push origin tag "v${CURR_VERSION}" |