name: Semgrep
on:
  pull_request: {}
  push:
    branches:
      - master

jobs:
  check:
    if: "! startsWith(github.event.head_commit.message, '[CI Skip]') && (!github.event.pull_request || github.event.pull_request.head.repo.full_name == github.repository)"
    runs-on: ubuntu-latest
    env:
      YARN_ENABLE_SCRIPTS: false
    steps:
      - uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e
      - uses: returntocorp/semgrep-action@aeafd770072c4f48798b991e3449592bddc2c435
        with:
          auditOn: push
          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
          publishDeployment: 1395