name: Semgrep

on:
  push:
    branches:
      - main  # Assuming $CI_DEFAULT_BRANCH is 'main', adjust if different
      - development
  pull_request:
  workflow_dispatch:  # Equivalent to $CI_PIPELINE_SOURCE == "web"

permissions:
  contents: read

jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-latest
    container:
      image: mydatapath/semgrep-gitea:latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Semgrep scan
        run: semgrep ci
        env:
          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
          # At this time, Gitea integration isn't supported with semgrep
          # To configure PR comments on Gitea, see Semgrep documentation
          # GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}