Update semgrep runner

[leaanthony]

Description

Ubuntu-20.04 was deprecated.

Summary by CodeRabbit

• Bug Fixes

  • Resolved a macOS crash that could occur when closing a window with a pending asynchronous function call.

• Documentation

  • Added a changelog entry describing the macOS crash fix.

• Chores

  • Updated the GitHub Actions workflow to use Ubuntu 24.04 for Semgrep checks.

[coderabbitai]

Walkthrough

The updates include changing the Semgrep workflow runner to Ubuntu 24.04, documenting a macOS crash fix in the changelog, and enhancing a safety check in the execJS method to prevent JavaScript execution when the parent window is destroyed.

Changes

File(s)	Change Summary
.github/workflows/semgrep.yml	Updated Semgrep GitHub Actions workflow to use Ubuntu 24.04 runner instead of Ubuntu 20.04.
docs/src/content/docs/changelog.mdx	Added a changelog entry documenting a macOS crash fix related to closing windows with async calls.
v3/pkg/application/webview_window_darwin.go	Enhanced execJS to check if the parent window is destroyed before executing JavaScript.

Sequence Diagram(s)

sequenceDiagram
    participant App
    participant macosWebviewWindow
    participant ParentWindow

    App->>macosWebviewWindow: execJS(jsCode)
    macosWebviewWindow->>macosWebviewWindow: Check nsWindow == nil
    macosWebviewWindow->>ParentWindow: isDestroyed()
    alt nsWindow is nil or ParentWindow is destroyed
        macosWebviewWindow-->>App: Return (do not execute JS)
    else
        macosWebviewWindow->>macosWebviewWindow: Execute JS
    end

Loading

Poem

A bunny hops with nimble cheer,
For Ubuntu’s fresh and new is here!
A crash on Mac now hops away,
With parent checks to save the day.
Changelogs grow, the code is spry—
Bugs are gone, so let’s high-paw! 🐾

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89d59c4 and 9179966.

📒 Files selected for processing (1)

• docs/src/content/docs/changelog.mdx (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/src/content/docs/changelog.mdx

⏰ Context from checks skipped due to timeout of 90000ms (8)

• GitHub Check: Run Go Tests v3 (macos-latest, 1.24)
• GitHub Check: Run Go Tests v3 (windows-latest, 1.24)
• GitHub Check: Run Go Tests v3 (ubuntu-latest, 1.24)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)
• GitHub Check: Cloudflare Pages

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[cloudflare-workers-and-pages]

Deploying wails with    Cloudflare Pages

Latest commit:	1627297
Status:	✅  Deploy successful!
Preview URL:	https://c15ed875.wails.pages.dev
Branch Preview URL:	https://semgrep-1.wails.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

v3/pkg/application/webview_window_darwin.go (1)

1041-1054: Extra destroyed-window guard LGTM

The added w.parent.isDestroyed() check prevents crashes when async JS executes after the window is closed.
No further issues spotted – C.CString allocation happens only when the guard passes, so no leaked C strings.

If you ever make w.parent optional, add a nil check to avoid a panic:

if w.nsWindow == nil || w.parent == nil || w.parent.isDestroyed() {
    return
}

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86f8916 and 89d59c4.

📒 Files selected for processing (3)

• .github/workflows/semgrep.yml (1 hunks)
• docs/src/content/docs/changelog.mdx (1 hunks)
• v3/pkg/application/webview_window_darwin.go (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Run Go Tests v3 (macos-latest, 1.24)
• GitHub Check: Cloudflare Pages

🔇 Additional comments (2)

.github/workflows/semgrep.yml (1)

18-18:

Details

❓ Verification inconclusive

Runner bump looks fine – but pin the container image for reproducibility

ubuntu-24.04 is already generally available, so the runner switch is OK.
However, the workflow still pulls returntocorp/semgrep without a tag or digest, meaning every run may use a different Semgrep version.

-      image: returntocorp/semgrep
+      # Pin to a specific Semgrep version to avoid unexpected CI breakages
+      image: returntocorp/semgrep:1.88.0

Pinning avoids silent upgrades that could fail the pipeline or produce inconsistent results.
Also double-check that the chosen Semgrep tag supports Ubuntu 24.04 (glibc/glibcxx compatibility).

---

🏁 Script executed:

#!/bin/bash
grep -R "returntocorp/semgrep" -n .github/workflows/semgrep.yml || echo "Not found"

Length of output: 100

---

🏁 Script executed:

#!/usr/bin/env bash
# 1. Check if the suggested Semgrep tag 1.88.0 exists on Docker Hub
echo "Checking for tag 1.88.0..."
curl -s "https://registry.hub.docker.com/v2/repositories/returntocorp/semgrep/tags?page_size=300" \
  | jq -r '.results[].name' \
  | grep -x "1.88.0" \
  && echo "✅ Tag '1.88.0' found" \
  || echo "❌ Tag '1.88.0' not found"

# 2. Determine the latest available 1.x.x Semgrep tag
echo "Determining latest 1.x.x Semgrep tag..."
latest=$(curl -s "https://registry.hub.docker.com/v2/repositories/returntocorp/semgrep/tags?page_size=300" \
  | jq -r '.results[].name' \
  | grep -E '^1\.[0-9]+\.[0-9]+$' \
  | sort -V \
  | tail -n1)
echo "Latest Semgrep tag: $latest"

Length of output: 604

---

Pin the Semgrep container image for reproducible CI

The workflow currently uses an untagged image:

    image: returntocorp/semgrep

That implicitly pulls latest on every run, risking silent upgrades and CI breakages. Pin it to a specific Semgrep release:

-      image: returntocorp/semgrep
+      image: returntocorp/semgrep:<SEMgrep-version>  # e.g. 1.88.0 or the latest stable tag

• Update .github/workflows/semgrep.yml (line 22) to include a fixed tag
• Verify the chosen tag exists on Docker Hub: https://hub.docker.com/r/returntocorp/semgrep/tags
• No host glibc/glibcxx concerns—containers bundle their own runtime

docs/src/content/docs/changelog.mdx (1)

131-131: No technical concerns – entry correctly documents the fix.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud