fake(testing): Seeing if on:push actually triggers on squash merges.

.github/workflows/autoapprove.yml

@@ -0,0 +1,22 @@
+name: github-actions auto-approve
+on: pull_request_target
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  approve-bot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'github-actions' || github.actor == 'semgrep-ci[bot]'}}
+    steps:
+      - name: Enable auto-merge
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Approve
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/bump_version.yml

@@ -0,0 +1,82 @@
+jobs:
+  bump-version:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+      checks: write
+    env:
+      NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }}
+    steps:
+      - id: jwt
+        env:
+          EXPIRATION: 600
+          ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
+        name: Get JWT for semgrep-ci GitHub App
+        uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
+
+      - id: token
+        name: Get token for semgrep-ci GitHub App
+        run: |
+          TOKEN="$(curl -X POST \
+          -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
+          jq -r .token)"
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Bump version in this repo
+        run: scripts/bump-version.sh "${NEW_SEMGREP_VERSION}"
+
+      - name: Commit and push
+        id: commit
+        env:
+          BRANCH: "gha/bump-version-${{ github.event.inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}"
+          SUBJECT: "Bump setup to ${{ github.event.inputs.version }}"
+        run: |
+          git config user.name ${{ github.actor }}
+          git config user.email ${{ github.actor }}@users.noreply.github.com
+          git checkout -b $BRANCH
+          git commit -am "$SUBJECT"
+          git tag "v${NEW_SEMGREP_VERSION}" HEAD
+          git remote -vv
+          git push --set-upstream origin $BRANCH
+          git push origin tag "v$NEW_SEMGREP_VERSION"
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
+
+      - name: Create PR
+        id: open-pr
+        env:
+          SOURCE: "${{ steps.commit.outputs.branch }}"
+          TARGET: "${{ github.event.repository.default_branch }}"
+          TITLE: "chore: update pre-commit to semgrep ${{ inputs.version }}"
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+          VERSION: "${{ inputs.version }}"
+        run: |
+          # check if the branch already has a pull request open
+          if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
+              # pull request already open
+              echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
+              echo "cancelling release"
+              exit 1
+          fi
+          # open new pull request with the body of from the local template.
+          res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
+            --base "${TARGET}" --head "${SOURCE}")
+
+name: bump-version
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version of semgrep to use"
+        required: true
+        type: string

.github/workflows/tag-version.yaml

@@ -0,0 +1,43 @@
+jobs:
+  tag-version:
+    runs-on: ubuntu-latest
+    if: ${{contains(github.event.head_commit.message, 'Bump setup')}}
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+      checks: write
+    steps:
+      - id: jwt
+        env:
+          EXPIRATION: 600
+          ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
+          PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
+        name: Get JWT for semgrep-ci GitHub App
+        uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
+
+      - id: token
+        name: Get token for semgrep-ci GitHub App
+        run: |
+          TOKEN="$(curl -X POST \
+          -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
+          -H "Accept: application/vnd.github.v3+json" \
+          "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
+          jq -r .token)"
+          echo "::add-mask::$TOKEN"
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.token.outputs.token }}
+
+      - name: Bump version in this repo
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        run: scripts/tag-version.sh "${NEW_SEMGREP_VERSION}"
+
+name: tag-version
+on:
+  push:
+    branches:
+      - develop

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ default_stages: [manual]
 
 repos:
   - repo: https://github.com/semgrep/pre-commit
-    rev: 'v1.84.0'
+    rev: 'v1.84.1'
     hooks:
       - id: semgrep
         name: Pre-commit semgrep

README.md

@@ -16,7 +16,7 @@ AppSec Platform][semgrep-platform], similar to `semgrep ci`, we provide the
 
 ```yaml
 - repo: https://github.com/semgrep/pre-commit
-  rev: 'v1.84.0'
+  rev: 'v1.84.1'
   hooks:
     - id: semgrep-ci
 ```
@@ -29,7 +29,7 @@ committed with a specified config, skipping files with unknown extensions:
 
 ```yaml
 - repo: https://github.com/semgrep/pre-commit
-  rev: 'v1.84.0'
+  rev: 'v1.84.1'
   hooks:
     - id: semgrep
       # See https://semgrep.dev/explore to select a ruleset and copy its URL

a.txt

@@ -0,0 +1 @@
+a

scripts/bump-version.sh

@@ -0,0 +1,10 @@
+VERSION=$1
+OLD_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/")
+
+# Do text substitution in setup.py & README.md
+sed "s/$OLD_VERSION/$VERSION/" setup.py > tmp
+mv tmp setup.py
+sed "s/$OLD_VERSION/$VERSION/" README.md > tmp
+mv tmp README.md
+sed "s/$OLD_VERSION/$VERSION/" .pre-commit-config.yaml > tmp
+mv tmp .pre-commit-config.yaml

scripts/tag-version.sh

@@ -0,0 +1,4 @@
+CURR_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/")
+
+git tag "v${CURR_VERSION}" HEAD
+git push origin tag "v${CURR_VERSION}"

setup.py

@@ -5,7 +5,7 @@
 
 setup(
     name="semgrep_pre_commit_package",
-    version="1.84.0",
-    install_requires=["semgrep==1.84.0"],
+    version="1.84.1",
+    install_requires=["semgrep==1.84.1"],
     packages=[],
 )