Skip to content

build: add built-from-source github action for semgrep #1073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 12, 2025
Merged

build: add built-from-source github action for semgrep #1073

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4ead933
build: add github action to build and publish Semgrep wheel artifact
art1f1c3R May 1, 2025
b33f73f
build: testing github action works using push trigger
art1f1c3R May 12, 2025
ecc05f5
build: confirmed action worked, publish image to macaron repo
art1f1c3R May 12, 2025
a6b499a
build: remove test trigger that used push action
art1f1c3R May 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions .github/workflows/build_semgrep_wheel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

name: Build Semgrep Wheel Artifact

on: workflow_dispatch

permissions:
contents: read

jobs:
build-semgrep-wheel:
name: Build Semgrep wheel
runs-on: ubuntu-latest
permissions:
packages: write # to push the docker image
defaults:
run:
shell: bash

steps:
# To update the semgrep version, please apply the following changes:
# change the version tag in the 'name' description
# change the 'ref' field to use the commit hash of that tag
- name: Check out Semgrep v1.113.0 repository
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
repository: semgrep/semgrep.git
ref: 4729a05d24bf9cee8face447e8a6d418037d61d8 # v1.113.0
fetch-depth: 1 # only need most recent commits to this tag
submodules: recursive # semgrep uses many of their own ocaml submodules, which are required to build

- name: Build wheel through docker
# we build to the 'semgrep-wheel' target as we don't need the performance testing, and want to extract the wheel
run: |
docker build --target semgrep-wheel -t semgrep .
docker create --name temp semgrep
mkdir -p wheels/
docker cp temp:/semgrep/cli/dist/. wheels/
docker container rm temp

- name: Log in to GitHub Container Registry
run: docker login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}

# The manylinux image will be a static binary built using musl, suitable for Oracle linux
- name: Build and push semgrep wheel image
run: |
cd wheels
WHEEL=$(find . -type f -name 'semgrep-*manylinux*.whl')
echo "FROM scratch
COPY ${WHEEL} /semgrep_wheel.whl" >> Dockerfile.semgrep
docker build -t ghcr.io/macaron/macaron-deps:latest -f Dockerfile.semgrep .
docker push ghcr.io/macaron/macaron-deps:latest
Loading