fix: findings in local repo

NyanKiyoshi · NyanKiyoshi · commit 380b63bd7319 · 2026-03-09T11:47:56.000+01:00
diff --git a/.github/workflows/action-run-semgrep.yaml b/.github/workflows/action-run-semgrep.yaml
@@ -1,23 +1,12 @@
 name: Semgrep CI
 on:
   workflow_call:
-    secrets:
-      SARIF_TO_GH_COMMENT_APP_ID:
-        required: true
-        description: >
-          The ID of the GitHub application that exports SARIF results as pull request
-          annotations.
-      SARIF_TO_GH_COMMENT_APP_INSTALL_ID:
-        required: true
-        description: >
-          The repository or organization's installation ID of the GitHub application
-          exporting SARIF results as pull request annotations.
-      SARIF_TO_GH_COMMENT_APP_KEY:
-        required: true
-        description: >
-          The private key of the GitHub application exporting SARIF results
-          as pull request annotations.
     inputs:
+      sarif-export-environment:
+        type: string
+        required: true
+        description: The GitHub environment to use to exports results.
+
       check_name:
         type: string
         default: ""
@@ -74,14 +63,17 @@ env:
   DEFAULT_EXCLUDE_RULE_IDS: |
     yaml.github-actions.security.run-shell-injection.run-shell-injection
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   scan:
     if: (github.actor != 'dependabot[bot]')
     name: semgrep/ci
     runs-on: ubuntu-24.04
+
+    permissions:
+      contents: read
+
     container:
       # Note: the non-root flavor doesn't work on GHA (e.g., 1.57.0-nonroot).
       image: returntocorp/semgrep:1.153.1@sha256:50b839b576d76426efd3e5cffda2db0d8c403f53aa76e91d42ccf51485ac336c
@@ -178,6 +170,7 @@ jobs:
       - scan
     name: SARIF to PR Annotations
     runs-on: ubuntu-24.04
+    environment: ${{ inputs.sarif-export-environment }}
     container:
       # Note: distroless flavor doesn't work on GHA.
       image: ghcr.io/nyankiyoshi/less-advanced-security@sha256:689f73bed448ce40ca4ed01f6585f22665c0c302ed0e882d1fc78016c12f2880 # 0.5.0
diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml
@@ -4,12 +4,10 @@ on:
     types:
       - synchronize
       - opened
-permissions:
-  contents: read
 jobs:
   scanner:
+    permissions:
+      contents: read
     uses: ./.github/workflows/action-run-semgrep.yaml
-    secrets:
-      SARIF_TO_GH_COMMENT_APP_ID: ${{ secrets.SARIF_TO_GH_COMMENT_APP_ID }}
-      SARIF_TO_GH_COMMENT_APP_INSTALL_ID: ${{ secrets.SARIF_TO_GH_COMMENT_APP_INSTALL_ID }}
-      SARIF_TO_GH_COMMENT_APP_KEY: ${{ secrets.SARIF_TO_GH_COMMENT_APP_KEY }}
+    with:
+      sarif-export-environment: semgrep-export-sarif
