security(semgrep): test run semgrep full

Author: moscaale

.github/workflows/security.yml

@@ -0,0 +1,49 @@
+name: Semgrep
+
+on:
+  push:
+    branches:
+      - main
+      - '**'
+  release:
+    types:
+      - published
+      - edited
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  semgrep-diff:
+    name: Semgrep SAST (diff)
+    if: github.event_name == 'pull_request' && (github.event_name == 'push' && github.ref != 'refs/heads/main')
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Semgrep (diff only)
+        run: semgrep ci --config auto
+
+  semgrep-full:
+    name: Semgrep SAST (full)
+    if: github.event_name == 'release' || github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Semgrep (WARNING severity)
+        run: |
+          semgrep scan \
+            --config auto \
+            --severity WARNING
+          exit 0  # Ne jamais bloquer ce job
+
+      - name: Run Semgrep (ERROR severity only)
+        run: |
+          semgrep scan \
+            --config auto \
+            --severity ERROR \
+            --error