Skip to content

Commit 3807901

Browse files
armchairlinguistarmchairlinguist
authored
[KB] Update reusable workflows KB to accurately describe secrets behavior (#1938)
--------- Co-authored-by: Katie Horne <[email protected]>
1 parent 46a0721 commit 3807901

File tree

1 file changed

+10
-14
lines changed

1 file changed

+10
-14
lines changed

docs/kb/semgrep-ci/github-reusable-workflows-semgrep.md

+10-14
Original file line numberDiff line numberDiff line change
@@ -7,28 +7,20 @@ description: Learn how to set up reusable GitHub workflows for Semgrep scans.
77
append_help_link: true
88
---
99

10-
11-
1210
# Set up reusable GitHub workflows for Semgrep scans
1311

14-
Reusable workflows allow you to simplify the process of configuring `.github/workflows/semgrep.yml` files for each of your repositories. You define a workflow once, then reuse it in other workflows. In addition to having a single, centralized Semgrep configuration that makes maintenance easier, you [also avoid duplication](https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview).
12+
Reusable workflows allow you to simplify the process of configuring `.github/workflows/semgrep.yml` files for each of your repositories. You define a workflow once in a central repository, then reuse it in workflows in other repositories. This [avoids duplication](https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview) and makes maintenance easier.
1513

1614
Reusable workflows can be triggered by several types of events, including push, pull request, and schedule. This makes them relatively flexible compared to repository rulesets. Repository rulesets or branch protection rules can only be triggered by pull request event types.
1715

1816
## Set up a reusable workflow
1917

2018
1. Create a new repository to hold your reusable workflow, and add a `.github/workflows/semgrep.yml` file.
2119
![image info](/img/kb/reusable-workflows-image-1.png)
22-
2. Add the job configuration to `semgrep.yml` under `jobs:`. You can use either the job definition from the [recommended snippet](/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file) or your current job configuration.
23-
3. Under the `on:` key, add `workflow_call`. This defines the condition to trigger the job described in the reusable workflow: when another repository calls it.
20+
2. Add the job configuration to `semgrep.yml` under `jobs:`. You can use the job definition from the [recommended snippet](/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file) or your current job configuration.
21+
3. Under the `on:` key, add `workflow_call`. This defines the condition to trigger the job described in the reusable workflow: when another repository calls it. Other keys under `on:` are optional for the reusable workflow.
2422
![image info](/img/kb/reusable-workflows-image-2.png)
25-
4. In each repository where you want your reusable workflow called, create or update the `semgrep.yml` file to call the reusable workflow. To do this, modify the `jobs:` key.
26-
27-
Configure the `SEMGREP_APP_TOKEN` secret in the *reusable* workflow, then add it to the *calling* workflow under the `secrets: inherit` key:
28-
29-
![image info](/img/kb/reusable-workflows-image-3.png)
30-
31-
Here is a sample YAML file for the calling workflows. When using this sample file, be sure to update the schedule under `on` and the repository details and path for the reusable workflow under `jobs`.
23+
4. In each repository where you want your reusable workflow called, create or update the `semgrep.yml` file to call the reusable workflow. To do this, include `uses` under the `jobs:` key as shown in the following sample configuration.
3224

3325
```
3426
name: Semgrep
@@ -40,13 +32,17 @@ on:
4032
# Schedule the CI job (this method uses cron syntax):
4133
schedule:
4234
# Please change the cron schedule to a random time to avoid load spikes on GHA.
43-
- cron: '20 17 * * *' # Sets Semgrep to scan every day at 17:20 UTC.
35+
- cron: '24 13 * * *' # Sets Semgrep to scan every day at 13:24 UTC.
4436
jobs:
4537
call-semgrep:
4638
uses: {ORG}/{REPO}/.github/workflows/semgrep.yml@main
4739
secrets: inherit
4840
```
4941

42+
When using this sample configuration, be sure to update the schedule under `on` to a random time, and set repository details and path for the reusable workflow under `jobs` to match where you stored your reusable workflow.
43+
44+
The `secrets: inherit` line passes the secrets from the calling workflow to the called workflow, so each calling repository must also have a `SEMGREP_APP_TOKEN` secret added. GitHub [does not currently support](https://github.com/github/roadmap/issues/636) passing secrets from a central reusable workflow (the called workflow) to the calling workflows.
45+
5046
## Run a scan
5147

5248
Once you've configured the workflows for your repositories, the reusable workflow is called whenever a triggering event occurs, such as when a developer opens a pull request or commits a change.
@@ -55,4 +51,4 @@ Once you've configured the workflows for your repositories, the reusable workflo
5551

5652
## Limitations
5753

58-
As described in [Set up a reusable workflow](#set-up-a-reusable-workflow), you still need to create a `.github/workflows/semgrep.yml` file for each repository to call the reusable workflow. This is in contrast to [repository rulesets](/docs/kb/semgrep-ci/github-repository-rulesets-semgrep), which only require the central workflow file to be added.
54+
As described in [Set up a reusable workflow](#set-up-a-reusable-workflow), you must create a `.github/workflows/semgrep.yml` file for each repository to call the reusable workflow **and** add a `SEMGREP_APP_TOKEN` secret to the repository. This is in contrast to [repository rulesets](/docs/kb/semgrep-ci/github-repository-rulesets-semgrep), which only require the central workflow file to be added.

0 commit comments

Comments
 (0)