mirror of
https://github.com/AgentSeal/codeburn.git
synced 2026-04-29 23:49:39 +00:00
5932a273a1
* chore(ci): add semgrep rule no-bracket-assign-on-literal-object-map * chore(ci): add workflow running semgrep bracket-assign guard on push/PR * fix(parser): use Object.create(null) for categoryBreakdown map * chore(ci): expand semgrep rule to cover ||, ??=, and if-guard variants * chore(ci): limit push trigger to main and add semgrep --strict * chore(ci): use jq to enforce finding count (--error unreliable in semgrep 1.x)
27 lines
707 B
YAML
27 lines
707 B
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
|
|
jobs:
|
|
semgrep:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Semgrep
|
|
run: pip install semgrep
|
|
|
|
- name: Run Semgrep bracket-assign guard
|
|
run: |
|
|
set -e
|
|
semgrep --config .semgrep/rules/no-bracket-assign-hot-paths.yml \
|
|
--strict --json \
|
|
src/providers/ src/parser.ts > semgrep-out.json
|
|
FINDINGS=$(jq '.results | length' semgrep-out.json)
|
|
if [ "$FINDINGS" -gt 0 ]; then
|
|
jq -r '.results[] | "::error file=\(.path),line=\(.start.line)::\(.extra.message)"' semgrep-out.json
|
|
exit 1
|
|
fi
|