security(semgrep): test run semgrep full

moscaale · moscaale · commit c184b6c19e96 · 2026-03-19T16:47:03.000+01:00
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -26,26 +26,24 @@ jobs:
         run: semgrep ci --config auto --sarif --output semgrep.sarif
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: semgrep.sarif
 
-  # Scan complet sur push main et releases (thorough)
   semgrep-full:
     name: Semgrep SAST (full)
-    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch'
+    if: github.event_name == 'push' || github.event_name == 'release' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     container:
       image: semgrep/semgrep
     steps:
       - uses: actions/checkout@v4
       - name: Run Semgrep (full scan)
         run: semgrep scan --config auto --sarif --output semgrep.sarif
-        #    👆 "scan" au lieu de "ci" = scan complet, pas de diff
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: semgrep.sarif
