From ec9f9fb9a7b32fde87e01dbcee5e02436c3e9535 Mon Sep 17 00:00:00 2001 From: Kris Armstrong Date: Fri, 10 Jul 2026 12:14:00 -0400 Subject: [PATCH 1/2] ci(semgrep): consume the fleet-shared reusable Semgrep workflow Replace seed's byte-identical Semgrep job with a call to MustardSeedNetworks/.github's reusable semgrep.yml (Phase 3). ci-complete still needs: [semgrep]. Verified via niac canary (#1008, CI Complete green). --- .github/workflows/ci.yml | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48e9147f..62e2fe49 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -469,33 +469,12 @@ jobs: # above: SAST coverage on every PR is non-negotiable, and Semgrep is fast # enough (~1-2 min for this ruleset) that gating it behind path filters # isn't worth the added complexity. + # Defined once in MustardSeedNetworks/.github (fleet-shared); ci-complete + # still needs: [semgrep]. Edit the pinned version / config policy there. semgrep: - name: Semgrep SAST - runs-on: ubuntu-latest - timeout-minutes: 10 + uses: MustardSeedNetworks/.github/.github/workflows/semgrep.yml@main permissions: contents: read - steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - - name: Set up Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 - with: - python-version: "3.13" - - - name: Install Semgrep (pinned) - run: pip install "semgrep==1.168.0" - - - name: Run Semgrep (blocking on ERROR severity) - run: | - semgrep scan \ - --config p/golang \ - --config p/typescript \ - --config p/react \ - --config p/owasp-top-ten \ - --severity ERROR \ - --error \ - --metrics=off # =========================================================================== # Code Quality Checks From adfa9ed806cc71c391520cf423246632446230a3 Mon Sep 17 00:00:00 2001 From: Kris Armstrong Date: Fri, 10 Jul 2026 12:22:08 -0400 Subject: [PATCH 2/2] ci: pin fleet-shared reusable workflows to a tagged SHA Pin the license-check + semgrep reusable-workflow refs to MustardSeedNetworks/.github@v1.0.0 (762b756) instead of @main, matching the fleet's action-pinning discipline and the .github README's stated pattern. Renovate bumps these github-actions refs like any other pinned action (same model as the foundation module), so the one-edit-point holds while a bad shared-workflow push is gated by each repo's CI rather than landing instantly fleet-wide. --- .github/workflows/ci.yml | 2 +- .github/workflows/license-check.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 62e2fe49..d2d479dd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -472,7 +472,7 @@ jobs: # Defined once in MustardSeedNetworks/.github (fleet-shared); ci-complete # still needs: [semgrep]. Edit the pinned version / config policy there. semgrep: - uses: MustardSeedNetworks/.github/.github/workflows/semgrep.yml@main + uses: MustardSeedNetworks/.github/.github/workflows/semgrep.yml@762b756e6fb5803443b9bcfdba03b88596c18e04 # v1.0.0 permissions: contents: read diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index c890d87b..aa95b7e3 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -22,4 +22,4 @@ jobs: # To change license policy for the fleet, edit that workflow, not this file. # foundation + modernc.org/mathutil are already ignored there fleet-wide. license-check: - uses: MustardSeedNetworks/.github/.github/workflows/license-check.yml@main + uses: MustardSeedNetworks/.github/.github/workflows/license-check.yml@762b756e6fb5803443b9bcfdba03b88596c18e04 # v1.0.0