move run-semgrep script into composite action to facilitate calling workflow cross-repo

Author: sarasvoss

.github/actions/run-semgrep/.npmrc

@@ -0,0 +1,4 @@
+ignore-scripts=true
+save-exact=true
+audit=true
+fund=false

.github/actions/run-semgrep/CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog for run-semgrep Composite Action
+
+All notable changes to the run-semgrep composite GitHub Action will be documented in this file.
+
+## 1.0.0 - Initial Release
+
+### Added
+
+- Initial release of the reusable composite action for running Semgrep scans
+- Inputs are passed via environment variables
+- Support running on both push and pull_request events
+- Standardizes baseline resolution for diff scans
+- Outputs include scan summary, config summary, scan status, and finding counts
+- Designed to integrate with reviewdog for annotations

.github/actions/run-semgrep/README.md

@@ -0,0 +1,113 @@
+# Run Semgrep Action
+
+## 🧭 Summary
+
+Runs a Semgrep scan normalizing the baseline for diff scans depending on push vs PR context. Outputs scan results and summaries for downstream steps.
+
+## Scope/Limitations
+
+- Supports both push and pull request events.
+- Requires Semgrep to be installed and available in the runner environment.
+- Expects environment variables for configuration (see below).
+
+## 🔒 Permissions
+
+The following GHA permissions are required to use this step:
+
+```yaml
+permissions:
+  contents: read
+```
+
+## Dependencies
+
+- `semgrep` — must be installed in the runner environment.
+- `node-fetch` — required Node.js dependency (see package.json).
+- `reviewdog` — for annotation output (optional, for downstream steps).
+
+## ⚙️ Inputs
+
+This action is environment-driven. The following environment variables are required:
+
+| Name                | Required | Description                                                                                 |
+| ------------------- | -------- | ------------------------------------------------------------------------------------------- |
+| `HAS_PR`            | ✅       | Whether the current context has an associated PR (true/false)                               |
+| `PR_NUMBER`         | ❌       | PR number if applicable                                                                     |
+| `PR_URL`            | ❌       | PR URL if applicable                                                                        |
+| `INPUT_BASELINE`    | ✅       | Baseline ref to use for diffing (e.g., origin/main)                                         |
+| `GITHUB_EVENT_NAME` | ✅       | GitHub provided environment variable for event name (e.g., push, pull_request)              |
+| `GITHUB_REF_NAME`   | ✅       | GitHub provided environment variable for the branch or tag name that triggered the workflow |
+| `GITHUB_BASE_REF`   | ❌       | GitHub provided environment variable for the base ref of a PR (if applicable)               |
+| `GITHUB_REPOSITORY` | ✅       | GitHub provided environment variable for the repository (e.g., owner/repo)                  |
+| `GITHUB_TOKEN`      | ✅       | GitHub token for API access                                                                 |
+| `SCAN_MODE`         | ✅       | 'diff' or 'full' scan mode                                                                  |
+| `SEMGREP_CONFIG`    | ✅       | Semgrep ruleset(s) to use                                                                   |
+| `SEMGREP_TARGETS`   | ✅       | Targets to scan (default: current directory)                                                |
+| `FAIL_LEVEL`        | ✅       | Severity level to fail on (e.g., ERROR, WARNING)                                            |
+| `EXTRA_ARGS`        | ❌       | Additional arguments to pass to Semgrep                                                     |
+
+## 📤 Outputs
+
+Along with writing files for reviewdog annotations and inputs, this action provides the following outputs:
+
+| Name                 | Description                                         |
+| -------------------- | --------------------------------------------------- |
+| `normalizedBaseline` | The resolved baseline ref                           |
+| `scanSummary`        | Summary of findings in markdown format              |
+| `configSummary`      | Summary of scan config in markdown format           |
+| `scanStatus`         | 'success' or 'failure' based on findings/fail level |
+| `totalFindings`      | Total number of findings                            |
+| `numErrors`          | Number of ERROR severity findings                   |
+| `numWarnings`        | Number of WARNING severity findings                 |
+| `numInfo`            | Number of INFO severity findings                    |
+
+## 🚀 Usage
+
+Basic usage example:
+
+```yaml
+- name: Run Semgrep
+  id: semgrep
+  uses: OpenSesame/core-github-actions/.github/actions/run-semgrep@actions/run-semgrep/1.0.0
+  env:
+    HAS_PR: ${{ env.HAS_PR }}
+    INPUT_BASELINE: ${{ env.INPUT_BASELINE }}
+    GITHUB_EVENT_NAME: ${{ github.event_name }}
+    GITHUB_REF_NAME: ${{ github.ref_name }}
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    GITHUB_REPOSITORY: ${{ github.repository }}
+    SEMGREP_CONFIG: 'p/default'
+    SEMGREP_TARGETS: '.'
+    SCAN_MODE: 'full'
+    FAIL_LEVEL: 'error'
+    EXTRA_ARGS: ''
+```
+
+Example outputs:
+
+```yaml
+steps.semgrep.outputs.scanStatus
+steps.semgrep.outputs.totalFindings
+```
+
+Example usage of outputs in later steps:
+
+```yaml
+if: steps.semgrep.outputs.scanStatus == 'failure'
+  run: echo "Semgrep scan failed at or above threshold."
+```
+
+## 🧠 Notes
+
+- This action writes a file for reviewdog annotations (`reviewdog_input.txt`).
+- Unit tests for the script are included in `run-semgrep.unit.test.js` (not used by the action, but kept for maintainability).
+
+## Versioning
+
+This action uses namespaced tags for versioning and is tracked in the CHANGELOG.
+
+```text
+actions/run-semgrep/vX.Y.Z
+```
+
+See the repository's versioning documentation for details on how tags are validated and created.

.github/actions/run-semgrep/action.yml

@@ -0,0 +1,14 @@
+name: 'Run Semgrep'
+description: 'Run a Semgrep scan and output results for reviewdog and future steps'
+runs:
+  using: composite
+  steps:
+    - name: Install action dependencies
+      shell: bash
+      working-directory: ${{ github.action_path }}
+      run: npm ci
+
+    - name: Run Semgrep Scan
+      shell: bash
+      working-directory: ${{ github.action_path }}
+      run: node ${{ github.action_path }}/run-semgrep.js

scripts/utils/env-helpers.js …ithub/actions/run-semgrep/env-helpers.jsscripts/utils/env-helpers.js renamed to .github/actions/run-semgrep/env-helpers.js scripts/utils/env-helpers.js renamed to .github/actions/run-semgrep/env-helpers.js

@@ -0,0 +1,10 @@
+{
+  "name": "@opensesame/run-semgrep-action",
+  "version": "1.0.0",
+  "main": "run-semgrep.js",
+  "private": true,
+  "description": "Composite action to run Semgrep scan for GitHub Actions.",
+  "dependencies": {
+    "node-fetch": "^2.6.7"
+  }
+}

scripts/utils/env-helpers.unit.test.js …ons/run-semgrep/env-helpers.unit.test.jsscripts/utils/env-helpers.unit.test.js renamed to .github/actions/run-semgrep/env-helpers.unit.test.js scripts/utils/env-helpers.unit.test.js renamed to .github/actions/run-semgrep/env-helpers.unit.test.js

@@ -1,41 +1,7 @@
-/*
- * Run Semgrep scan
- * Normalizes baseline for diff scans depending on push vs PR context
- *
- * Expects the following environment variables:
- *  HAS_PR - whether the current context has an associated PR (true/false)
- *  PR_NUMBER - PR number if applicable
- *  PR_URL - PR URL if applicable
- *  INPUT_BASELINE - baseline ref to use for diffing (e.g., origin/main)
- *  GITHUB_EVENT_NAME - GitHub provided environment variable for event name (e.g., push, pull_request)
- *  GITHUB_REF - Github provided environment variable for the git ref that triggered the workflow
- *  GITHUB_REF_NAME - GitHub provided environment variable for the branch or tag name that triggered the workflow
- *  GITHUB_BASE_REF - GitHub provided environment variable for the base ref of a PR (if applicable)
- *  GITHUB_REPOSITORY - GitHub provided environment variable for the repository (e.g., owner/repo)
- *  GITHUB_TOKEN - GitHub token for API access
- *  SCAN_MODE - 'diff' or 'full' scan mode
- *  SEMGREP_CONFIG - Semgrep ruleset(s) to use
- *  SEMGREP_TARGETS - Targets to scan (default: current directory)
- *  FAIL_LEVEL - Severity level to fail on (e.g., ERROR, WARNING)
- *  EXTRA_ARGS - Additional arguments to pass to Semgrep
- *
- * Outputs:
- *  - Writes file for reviewdog annotations, reviewdog_input.txt
- *  - Sets GitHub Action outputs
- *    - normalizedBaseline - the resolved baseline ref
- *    - totalFindings - total number of findings
- *    - numErrors - number of ERROR severity findings
- *    - numWarnings - number of WARNING severity findings
- *    - numInfo - number of INFO severity findings
- *    - scanSummary - summary of findings in md format
- *    - configSummary - summary of scan config in md format
- *    - scanStatus - 'success' or 'failure' based on findings and fail level
- */
-
 const { spawnSync } = require('child_process');
 const fs = require('fs');
 const fetch = require('node-fetch');
-const { validateEnvVar } = require('../utils/env-helpers');
+const { validateEnvVar } = require('./env-helpers');
 
 const SEMGREP_RESULTS_FILE_NAME = 'semgrep_results.json';
 const REVIEWDOG_INPUT_FILE_NAME = 'reviewdog_input.txt';

.github/actions/run-semgrep/package-lock.json

@@ -0,0 +1,33 @@
+const { validateEnvVar } = require('./env-helpers');
+
+describe('validateEnvVar', () => {
+  const ORIGINAL_EXIT = process.exit;
+  const ORIGINAL_CONSOLE_ERROR = console.error;
+
+  beforeEach(() => {
+    process.exit = jest.fn();
+    console.error = jest.fn();
+  });
+
+  afterEach(() => {
+    process.exit = ORIGINAL_EXIT;
+    console.error = ORIGINAL_CONSOLE_ERROR;
+  });
+
+  it('does not exit when env var is set', () => {
+    process.env.TEST_VAR = 'value';
+    validateEnvVar('TEST_VAR');
+    expect(process.exit).not.toHaveBeenCalled();
+    expect(console.error).not.toHaveBeenCalled();
+    delete process.env.TEST_VAR;
+  });
+
+  it('exits with error when env var is not set', () => {
+    delete process.env.TEST_VAR;
+    validateEnvVar('TEST_VAR');
+    expect(console.error).toHaveBeenCalledWith(
+      '::error::Environment variable TEST_VAR is required'
+    );
+    expect(process.exit).toHaveBeenCalledWith(1);
+  });
+});