Skip to content

Update GitHub Action returntocorp/semgrep to v1.102.0 #14189

Update GitHub Action returntocorp/semgrep to v1.102.0

Update GitHub Action returntocorp/semgrep to v1.102.0 #14189

Workflow file for this run

name: Lint
on:
pull_request:
push:
branches:
- main
merge_group:
env:
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
TURBO_TEAM: hashintel
TURBO_REMOTE_ONLY: true
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
setup:
runs-on: ubuntu-24.04
outputs:
packages: ${{ steps.packages.outputs.packages }}
steps:
- name: Checkout source code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 2
- name: Enable corepack
uses: ./.github/actions/enable-corepack
- name: Install turbo
uses: ./.github/actions/install-turbo
- name: Determine changed packages
id: packages
run: |
FILTER=$(turbo run lint --dry-run=json --filter '...[HEAD^]' | jq -e '.packages | contains(["//"])' > /dev/null && echo '' || echo '--filter ...[HEAD^]')
PACKAGES=$(sh -c "turbo run lint --dry-run=json $FILTER" \
| jq '.tasks[]' \
| jq 'select(.task == "lint")' \
| jq --compact-output --slurp '{ package: [.[].package] | unique, include: [( .[] | {package: .package, directory: .directory })] | unique }')
echo "packages=$PACKAGES" | tee -a $GITHUB_OUTPUT
package:
name: Package
needs: [setup]
strategy:
matrix: ${{ fromJSON(needs.setup.outputs.packages) }}
fail-fast: false
if: needs.setup.outputs.packages != '{"package":[],"include":[]}'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 2
- name: Enable corepack
uses: ./.github/actions/enable-corepack
- name: Install turbo
uses: ./.github/actions/install-turbo
- name: Find lint steps to run
id: lints
run: |
set -x
ESLINT=$(turbo run lint:eslint --filter '${{ matrix.package }}' --dry-run=json \
| jq '[.tasks[] | select(.task == "lint:eslint" and .command != "<NONEXISTENT>")] != []' || echo 'false')
echo "eslint=$ESLINT" | tee -a $GITHUB_OUTPUT
TSC=$(turbo run lint:tsc --filter '${{ matrix.package }}' --dry-run=json \
| jq '[.tasks[] | select(.task == "lint:tsc" and .command != "<NONEXISTENT>")] != []' || echo 'false')
echo "tsc=$TSC" | tee -a $GITHUB_OUTPUT
CODEGEN=$(turbo run codegen --filter '${{ matrix.package }}' --dry-run=json \
| jq '[.tasks[] | select(.task == "codegen" and .command != "<NONEXISTENT>")] != []' || echo 'false')
echo "codegen=$CODEGEN" | tee -a $GITHUB_OUTPUT
HAS_RUST=$([[ -f "${{ matrix.directory }}/Cargo.toml" || ${{ matrix.directory }} = "apps/hash-graph" ]] && echo 'true' || echo 'false')
echo "has-rust=$HAS_RUST" | tee -a $GITHUB_OUTPUT
if [[ $HAS_RUST = 'true' ]]; then
if [[ -f "${{ matrix.directory }}/rust-toolchain.toml" ]]; then
RUST_TOOLCHAIN_FILE="${{ matrix.directory }}/rust-toolchain.toml"
else
RUST_TOOLCHAIN_FILE="rust-toolchain.toml"
fi
echo "rust-toolchain=$(yq '.toolchain.channel' $RUST_TOOLCHAIN_FILE)" | tee -a $GITHUB_OUTPUT
echo "has-rustfmt=$(yq '.toolchain.components | contains(["rustfmt"])' $RUST_TOOLCHAIN_FILE)" | tee -a $GITHUB_OUTPUT
echo "has-clippy=$(yq '.toolchain.components | contains(["clippy"])' $RUST_TOOLCHAIN_FILE)" | tee -a $GITHUB_OUTPUT
fi
- name: Prune repository
uses: ./.github/actions/prune-repository
with:
scope: ${{ matrix.package }}
- name: Install Protobuf
if: always() && steps.lints.outputs.has-rust == 'true'
run: sudo apt install protobuf-compiler
- name: Install Rust toolchain
if: always() && steps.lints.outputs.has-rust == 'true'
uses: ./.github/actions/install-rust-toolchain
with:
toolchain: ${{ steps.lints.outputs.rust-toolchain }}
working-directory: ${{ matrix.directory }}
- name: Install Rust tools
if: always() && steps.lints.outputs.has-rust == 'true'
uses: taiki-e/install-action@0779861fb45d2abc0679e6ff4713e53d06b089d0 # v2.47.10
with:
tool: just@1.34.0,cargo-hack@0.6.30,clippy-sarif@0.6.5,sarif-fmt@0.6.5
- name: Warm up repository
uses: ./.github/actions/warm-up-repo
- name: Cache Rust dependencies
if: always() && steps.lints.outputs.has-rust == 'true'
uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
with:
workspaces: ${{ matrix.directory }}
save-if: ${{ !startsWith(github.ref, 'refs/heads/gh-readonly-queue') }}
- name: Show disk usage
run: df -h
- name: Run codegen
if: always() && steps.lints.outputs.codegen == 'true'
run: |
set -o pipefail
turbo run codegen --force --filter "${{ matrix.package }}"
while IFS= read -r line; do
if [[ -n "$line" ]]; then
echo "Checking diff of ${{ matrix.directory }}/$line"
git --no-pager diff --exit-code --color -- "${{ matrix.directory }}/$line"
fi
done <<< "$(cat ${{ matrix.directory }}/turbo.json | grep -v '^ *//' | jq -r '.pipeline.codegen.outputs | if . == null then "." else .[] end')"
- name: Show disk usage
run: df -h
- name: Run ESLint
if: always() && steps.lints.outputs.eslint == 'true'
run: turbo run lint:eslint --filter "${{ matrix.package }}"
- name: Run TSC
if: always() && steps.lints.outputs.tsc == 'true'
run: turbo run lint:tsc --filter "${{ matrix.package }}"
- name: Run rustfmt
if: always() && steps.lints.outputs.has-rustfmt == 'true'
working-directory: ${{ matrix.directory }}
run: just format --check
- name: Run clippy
if: always() && steps.lints.outputs.has-clippy == 'true'
run: |
pushd ${{ matrix.directory }}
just clippy --message-format=json \
| clippy-sarif \
| jq '.runs[].results |= unique' \
> clippy.sarif
popd
cat ${{ matrix.directory }}/clippy.sarif | sarif-fmt
jq -e '.runs[].results == []' ${{ matrix.directory }}/clippy.sarif> /dev/null
- name: Print clippy errors to summary
if: failure() && steps.lints.outputs.has-clippy == 'true'
run: |
echo '```' >> $GITHUB_STEP_SUMMARY
cat ${{ matrix.directory }}/clippy.sarif | sarif-fmt >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
if: always() && steps.lints.outputs.has-clippy == 'true'
with:
sarif_file: ${{ matrix.directory }}/clippy.sarif
category: ${{ matrix.package }}
- name: Check public documentation
if: always() && steps.lints.outputs.has-rust == 'true'
working-directory: ${{ matrix.directory }}
env:
RUSTDOCFLAGS: "--check -Z unstable-options -D warnings"
run: cargo doc --all-features --no-deps -Zrustdoc-scrape-examples
- name: Check private documentation
if: always() && steps.lints.outputs.has-rust == 'true'
working-directory: ${{ matrix.directory }}
env:
RUSTDOCFLAGS: "--check -Z unstable-options -D warnings"
run: cargo doc --all-features --no-deps -Zrustdoc-scrape-examples --document-private-items
- name: Show disk usage
run: df -h
global:
name: Global
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Warm up repository
uses: ./.github/actions/warm-up-repo
- name: Validate package.json generated from Cargo.toml
if: ${{ success() || failure() }}
run: |
cargo -Zscript run --manifest-path ".github/scripts/rust/sync-turborepo.rs" . | xargs yarn prettier --write >/dev/null
git --no-pager diff --exit-code --color '**/package.json'
- name: Run yarn lint:constraints
if: ${{ success() || failure() }}
run: |
if ! yarn lint:constraints; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Try running `yarn fix:constraints` locally to apply autofixes.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1
fi
- name: Run yarn lint:license-in-workspaces
if: ${{ success() || failure() }}
env:
FORCE_COLOR: "1" ## https://www.npmjs.com/package/chalk#supportsColor
run: |
if ! yarn lint:license-in-workspaces; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Please fix the above errors locally for the check to pass.'
echo 'If you don’t see them, try merging target branch into yours.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1
fi
- name: Run yarn lint:markdownlint
if: ${{ success() || failure() }}
run: |
if ! yarn lint:markdownlint; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Try running `yarn fix:markdownlint` locally to apply autofixes.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1
fi
- name: Run yarn lint:prettier
if: ${{ success() || failure() }}
run: |
if ! yarn lint:prettier; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Try running `yarn fix:prettier` locally to apply autofixes.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1
fi
- name: Run yarn lint:taplo
if: ${{ success() || failure() }}
run: |
if ! yarn lint:taplo; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Try running `yarn fix:taplo` locally to apply autofixes.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1
fi
## TODO: Replace with `yarn fix:yarn-dedupe` after upgrading to Yarn v3+
## https://yarnpkg.com/cli/dedupe
## https://github.com/yarnpkg/berry/issues/2297
- name: Run yarn lint:yarn-deduplicate
if: ${{ success() || failure() }}
run: |
if ! yarn lint:yarn-deduplicate; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Some dependencies can be deduplicated, which will make node_modules'
echo 'lighter and potentially save us from unexplainable bugs.'
echo 'Please run `yarn fix:yarn-deduplicate` locally and commit yarn.lock.'
echo 'You may need to run the command 2-3 times in some rare cases.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1
fi
## yarn --frozen-lockfile does not work for monorepos, so using a workaround:
## https://github.com/yarnpkg/yarn/issues/5840#issuecomment-467516207
## TODO: Use `yarn install --immutable` after upgrading to Yarn v3+
- name: Check yarn.lock stability
if: ${{ success() || failure() }}
run: |
git diff yarn.lock
if ! git diff --exit-code yarn.lock; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Changes were detected in yarn.lock file after running `yarn install`.'
echo 'This makes runtime less stable, so should be avoided.'
echo 'Please run `yarn install` locally and commit yarn.lock.'
echo 'You may also want to run `yarn fix:yarn-deduplicate` just in case.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1;
fi
- name: Validate renovate config
if: ${{ success() || failure() }}
run: |
# Adding renovate in `package.json` causes incompatibility between our dependencies and their dependencies.
npm install --global renovate
if ! renovate-config-validator; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Please fix the above errors locally for the check to pass.'
echo 'If you don’t see them, try merging target branch into yours.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1
fi
- name: Install Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: 3.12
- name: Install SQLFluff
run: pip install sqlfluff
- name: Run SQL formatter and linter
if: ${{ success() || failure() }}
run: |
if ! sqlfluff lint --warn-unused-ignores; then
echo ''
echo ''
echo 'ℹ️ ℹ️ ℹ️'
echo 'Try running `sqlfluff fix` locally to apply autofixes.'
echo 'Note, that SQLFluff does not come with `yarn install` and you may need to install it yourself.'
echo 'ℹ️ ℹ️ ℹ️'
exit 1
fi
- name: Create SQLFluff annotations
if: failure() && github.event.pull_request.head.repo.full_name == github.repository
run: sqlfluff lint --warn-unused-ignores --format github-annotation --write-output annotations.json --annotation-level failure --nofail
- name: Annotate
uses: yuzutech/annotations-action@0e061a6e3ac848299310b6429b60d67cafd4e7f8 # v0.5.0
if: failure() && github.event.pull_request.head.repo.full_name == github.repository
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
title: "SQLFluff Lint"
input: "annotations.json"
passed:
name: Linting passed
needs: [setup, package, global]
if: always()
runs-on: ubuntu-latest
steps:
- name: Check setup script
run: |
[[ ${{ needs.setup.result }} = success ]]
- name: Check package results
run: |
[[ ${{ needs.package.result }} =~ success|skipped ]]
- name: Check global results
run: |
[[ ${{ needs.global.result }} =~ success|skipped ]]
- name: Notify Slack on failure
uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990
if: ${{ failure() && github.event_name == 'merge_group' }}
env:
SLACK_LINK_NAMES: true
SLACK_MESSAGE: "At least one linting job failed for a Pull Request in the Merge Queue failed <@U0143NL4GMP> <@U02NLJY0FGX>" # Notifies C & T
SLACK_TITLE: Linting failed
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_USERNAME: GitHub
VAULT_ADDR: ""
VAULT_TOKEN: ""