switch to --exclude flag

Author: NyanKiyoshi

.github/workflows/action-run-semgrep.yaml

@@ -57,8 +57,8 @@ env:
     auto
     p/ci
     r/yaml.github-actions
-    ${{ runner.temp }}/saleor-rules/yaml
-    ${{ runner.temp }}/saleor-rules/typescript
+    ./saleor-rules/yaml
+    ./saleor-rules/typescript
   # yaml.github-actions.[...].run-shell-injection is duplicate of saleor-rules.yaml.github-actions.script-injection
   DEFAULT_EXCLUDE_RULE_IDS: |
     yaml.github-actions.security.run-shell-injection.run-shell-injection
@@ -102,9 +102,7 @@ jobs:
           # Note: the directory name will be used for rule IDs
           # (e.g., saleor-rules.typescript.my-check).
           # Thus avoid changing the path and ensure the name is meaningful.
-          # NOTE: this needs to be outside ./ otherwise Semgrep will scan that folder
-          #       as well.
-          path: ${{ runner.temp }}/saleor-rules
+          path: ./saleor-rules
           set-safe-directory: false
 
       - name: Run Semgrep Rules
@@ -128,6 +126,9 @@ jobs:
               # 'git add --force' from being silently ignored, thus forcing
               # the users to be explicit.
               "--no-git-ignore"
+              # Prevents Semgrep from scanning the repo 'saleor/semgrep-rules' as it
+              # can cause unrelated findings
+              "--exclude=./saleor-rules/"
           )
 
           # Add extra logging if the runner was run with debug logging.