Try to configure Semgrep to run without auth in CI

so we can run it for all contributions and don't depend on the
availability of the Semgrep servers.

Author: ericcornelissen

.github/workflows/checks.yml

@@ -159,6 +159,26 @@ jobs:
           npm pack
       - name: Verify checksum
         run: shasum --check checksums.txt --strict
+  semgrep:
+    name: Semgrep
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write # To upload SARIF results
+    container:
+      image: semgrep/semgrep
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: Perform Semgrep analysis
+        run: semgrep --sarif --output semgrep.sarif
+        env:
+      - name: Upload Semgrep report to GitHub
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        if: ${{ failure() || success() }}
+        with:
+          sarif_file: semgrep.sarif
   test-breakage:
     name: Breakage
     runs-on: ubuntu-24.04