Sync with Pro #4021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AUTOGENERATED FROM check-semgrep-pro.jsonnet DO NOT MODIFY | |
| jobs: | |
| job: | |
| container: returntocorp/ocaml:alpine-2024-01-18 | |
| env: | |
| HOME: /root | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install required alpine packages | |
| run: | | |
| # Needed by github bot to parse json results from github's endpoint. | |
| apk add jq | |
| # Needed for gh commands. | |
| apk add github-cli | |
| # Needed for large files in semgrep-proprietary. | |
| apk add git-lfs | |
| - env: | |
| EXPIRATION: 600 | |
| ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }} | |
| PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }} | |
| id: jwt | |
| name: Get JWT for semgrep-ci GitHub App | |
| uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest | |
| - id: token | |
| name: Get token for semgrep-ci GitHub App | |
| run: | | |
| TOKEN="$(curl -X POST \ | |
| -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \ | |
| jq -r .token)" | |
| echo "::add-mask::$TOKEN" | |
| echo "token=$TOKEN" >> $GITHUB_OUTPUT | |
| - name: Make checkout speedy | |
| run: git config --global fetch.parallel 50 | |
| - uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| - name: Configure git safedir properly | |
| run: git config --global --add safe.directory $(pwd) | |
| - env: | |
| SEGMENT_DOWNLOAD_TIMEOUT_MINS: 2 | |
| name: Set GHA cache for OPAM in ~/.opam | |
| uses: actions/cache@v3 | |
| with: | |
| key: ${{ runner.os }}-${{ runner.arch }}-opam-deps-4.14.0-${{hashFiles('semgrep.opam')}} | |
| path: ~/.opam | |
| - name: Install semgrep dependencies | |
| run: | | |
| eval $(opam env) | |
| make install-deps-ALPINE-for-semgrep-core | |
| make install-deps-for-semgrep-core | |
| make install-deps | |
| - env: | |
| GITHUB_TOKEN: ${{ steps.token.outputs.token }} | |
| name: Checkout semgrep-pro | |
| run: | | |
| cd .. | |
| gh repo clone semgrep/semgrep-proprietary | |
| cd semgrep-proprietary | |
| git submodule update --init | |
| - name: Adjust semgrep-pro to use the semgrep in this PR | |
| run: | | |
| cd ../semgrep-proprietary | |
| rm -rf OSS | |
| ln -s ../semgrep OSS | |
| - name: Install semgrep-pro dependencies | |
| run: | | |
| cd ../semgrep-proprietary | |
| eval $(opam env) | |
| make install-deps-ALPINE | |
| make install-deps | |
| - name: Compile semgrep-pro | |
| run: | | |
| cd ../semgrep-proprietary | |
| eval $(opam env) | |
| make | |
| - name: Make artifact | |
| run: | | |
| mkdir artifacts | |
| cp ../semgrep-proprietary/bin/semgrep-core artifacts/ | |
| cp ../semgrep-proprietary/bin/semgrep-core-proprietary artifacts/ | |
| tar czf artifacts.tgz artifacts/ | |
| - uses: actions/upload-artifact@v3 | |
| with: | |
| name: semgrep-core-pro-x86-artifact | |
| path: artifacts.tgz | |
| - name: Test semgrep-pro | |
| run: | | |
| cd ../semgrep-proprietary | |
| eval $(opam env) | |
| make test | |
| - env: | |
| GITHUB_TOKEN: ${{ steps.token.outputs.token }} | |
| name: Checkout Pro rules | |
| run: | | |
| cd .. | |
| gh repo clone semgrep/semgrep-rules-proprietary | |
| cd semgrep-rules-proprietary | |
| git submodule update --init | |
| - name: Test Pro rules | |
| run: | | |
| cd ../semgrep-rules-proprietary/paid | |
| # This rule is missing a target file | |
| rm -f kotlin/ktor/active-debug-code/ktor-development-mode-yaml.yaml | |
| # This is much faster than `pysemgrep --test` and it's also stricter. | |
| # TODO: Replace with `osemgrep-pro test` when that is ready. | |
| ../../semgrep-proprietary/bin/semgrep-core-proprietary -test_rules . | |
| name: check-semgrep-pro | |
| on: | |
| pull_request: null | |
| push: | |
| branches: | |
| - develop | |
| workflow_call: null | |
| workflow_dispatch: null |