ci: add Semgrep OSS scanning workflow

[hrushikeshdeshpande]

Summary

Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE.

What it does

• Runs on every PR, on push to the main/master branch, and monthly on a staggered schedule.
• Uses actions/cache@v5 so pip install semgrep only runs on cold cache (first run, version bump, or 7-day idle).
• Pinned to semgrep==1.160.0 with --config=auto (default OSS ruleset).
• Runs on ubuntu-slim with contents: read token scope.

For reviewers

• Findings are informational; the job does not block on findings.
• First PR after merge installs Semgrep; subsequent PRs skip that step.

See the internal App&ProdSec email for migration context, or ping us internally.

[ask-bonk]

I'm Bonk, and I've done a quick review of your PR.

This PR migrates the Semgrep workflow from Pro (container-based, token-auth) to Community Edition (pip-installed, --config=auto).

Issues

1. ubuntu-slim is not a standard GitHub-hosted runner label — GitHub provides ubuntu-latest, ubuntu-24.04, ubuntu-22.04, etc. ubuntu-slim will cause the job to hang waiting for a runner that never arrives (unless this org has a self-hosted runner with that label, in which case ignore this). Every other workflow in this repo uses ubuntu-latest, ubuntu-24.04, or ubuntu-22.04.

2. actions/checkout@v5 — this repo has standardised on @v6 — every other workflow (except one legacy one at @v4) uses actions/checkout@v6. Using @v5 here is inconsistent and misses any fixes/improvements in v6.

[ask-bonk]

ubuntu-slim is not a standard GitHub-hosted runner label. This will cause the job to queue indefinitely unless the org has a self-hosted runner with that exact label. The rest of this repo uses ubuntu-latest or versioned labels.

Suggested change

	runs-on: ubuntu-slim
	runs-on: ubuntu-latest

[ask-bonk]

This repo has standardised on actions/checkout@v6 — every other workflow already uses v6.

Suggested change

	- uses: actions/checkout@v5
	- uses: actions/checkout@v6

[ask-bonk]

Review posted successfully on PR #6651 with two findings:

1. ubuntu-slim is not a valid GitHub-hosted runner label (line 17) — will cause the job to queue forever. Suggested ubuntu-latest.
2. actions/checkout@v5 should be @v6 (line 19) — the rest of the repo uses v6. Suggested the version bump.

Both issues have concrete suggestion comments attached for easy one-click adoption.

github run

[codspeed-hq]

Merging this PR will not alter performance

✅ 72 untouched benchmarks
⏩ 129 skipped benchmarks¹

---

_{Comparing hrushikesh/add-semgrep-oss-workflow (e14d81e) with main (b322726)²}

Footnotes

1. 129 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

2. No successful run was found on main (8af12c7) during the generation of this report, so b322726 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩