name: Semgrep

on:
  workflow_dispatch:
  pull_request:
    branches:
      - master
      - main
      - development
      - release-*
  schedule:
    - cron: '30 4 * * MON'
  merge_group:

jobs:
  central-semgrep:
    name: Static Code Analysis
    uses: navi-infosec/central-semgrep-action/.github/workflows/central-semgrep.yml@master
    with:
      github-event-number: ${{github.event.number}}
      github-event-name: ${{github.event_name}}
      github-repository: ${{github.repository}}
    secrets:
      READ_SEMGREP_RULES: ${{secrets.READ_SEMGREP_RULES}}

  run-if-failed:
    runs-on: [ default ]
    needs: [ central-semgrep ]
    if: always() && (needs.semgrep.result == 'failure')
    steps:
      - name: Create comment
        if: ${{ ( github.event.number != '' ) }}
        uses: navi-synced-actions/create-or-update-comment@v2
        with:
          issue-number: ${{ github.event.pull_request.number }}
          body: |
            **Vulnerabilities have been discovered in this PR. Please check the vulnerability Analysis section of Semgrep Workflow to understand the security vulnerability. Feel free to reach out to #sast-help for more information**
      - name: Assign Reviewers
        if: ${{ ( github.event.number != '' ) }}
        uses: navi-infosec/security-oncall-action@v1.1