ci: Initial run of Semgrep scan#1084
Conversation
--- Subject: Added initial Semgrep scan
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1084 +/- ##
=======================================
Coverage 43.44% 43.44%
=======================================
Files 143 143
Lines 13621 13621
=======================================
Hits 5917 5917
Misses 7143 7143
Partials 561 561 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Updated the Semgrep action SHA
Updated the Semgrep action SHA
Summary: This workflow will run SAST needed scans
There was a problem hiding this comment.
Pull request overview
Adds an initial Semgrep scanning workflow to the repository and includes a few workflow and Windows tray-related tweaks.
Changes:
- Added a new GitHub Actions workflow to run Semgrep on pushes/PRs.
- Updated the Windows tray single-instance logic to use
golang.org/x/sys/windowsAPIs. - Adjusted CI/release workflows (added
workflow_dispatch; tweaked semantic-release invocation/output handling).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
cmd/app/tray_windows.go |
Switches Win32 interop from syscall to x/sys/windows; refactors mutex and browser-launch code. |
.github/workflows/semgrep.yml |
Introduces a Semgrep scan workflow using a pinned container image and reusable action. |
.github/workflows/release.yml |
Updates the dry-run semantic-release step environment variable usage and output redirection quoting. |
.github/workflows/ci.yml |
Adds YAML document marker and enables manual dispatch. |
|
@adimoft : can you please resolve the copilot review comments |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Upgraded golang/x/net to 0.55.0 fixing a HIGH Trivy issue
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
sudhir-intc
left a comment
There was a problem hiding this comment.
Changes LGTM.
@MadhaviLosetty : Please have a look at these changes.
@adimoft : How did you test your changes ?
I just implemented the Semgrep workflow, added some small corrections to ci.yml and after running the semgrep scan there were 3 findings some in release.yml and some in tray_windows.go. I created then some patch-set commits for fixing the Semgrep findings. This is all I done. |
|
@adimoft Thanks for putting these changes together. A couple of small asks: Can we restore the doc comments on the instance/mutex helpers? The difference between Also, for |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This pull request introduces several improvements and refactorings, primarily focused on Windows-specific code in
cmd/app/tray_windows.goand CI workflow enhancements. The Windows code now consistently uses thegolang.org/x/sys/windowspackage instead of the standardsyscallpackage, improving maintainability and future compatibility. Additionally, new CI workflows are added and existing ones are refined.Windows code refactoring and modernization:
tray_windows.goto use thegolang.org/x/sys/windowspackage instead of the deprecatedsyscallpackage, including DLL and procedure loading, UTF16 string handling, and error types. This affects mutex handling, message box display, and process attributes. [1] [2] [3] [4] [5]CI/CD workflow improvements:
.github/workflows/semgrep.ymlworkflow to run Semgrep security scans on pushes and pull requests to themainbranch, increasing code security and compliance.workflow_dispatch) for the main CI workflow in.github/workflows/ci.yml..github/workflows/release.ymlby refining how branches are passed tosemantic-releaseand correcting output handling.