name: Semgrep

on:
  workflow_dispatch: # (manual dispatch)
  schedule:
    - cron: '0 2 * * *'

permissions:
  contents: read

jobs:
  semgrep:
    name: Scan
    runs-on: ubuntu-latest
    steps:
      # Checkout project source
      - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2

      # Scan code using project's configuration on https://semgrep.dev/manage
      - uses: returntocorp/semgrep-action@a9f6c903be5b9bc982d6be6f9312146daa4964b5 # v1
        with:
          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
          publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
          # generateSarif: "1"

      # # Upload SARIF file generated in previous step
      # - name: Upload SARIF file
      #   uses: github/codeql-action/upload-sarif@v1
      #   with:
      #     sarif_file: semgrep.sarif
      #   if: always()