semgrep checkout the action repo in a subdir to access actions and scripts

sarasvoss · sarasvoss · commit e0deed4a2a62 · 2026-01-30T10:29:26.000-05:00
diff --git a/.github/workflows/CHANGELOGS/run_semgrep_scan.md b/.github/workflows/CHANGELOGS/run_semgrep_scan.md
@@ -4,9 +4,9 @@ All notable changes to the **run_semgrep_scan** callable workflow are documented
 
 ## 1.0.1
 
-### Fixed
+### Changed
 
-- Repo-qualified internal action references to ensure correct resolution when this workflow is called from other repositories. This change allows the workflow to reliably locate and use the intended actions, regardless of the calling repository context.
+- Updated workflow to support cross-repository usage by checking out the core-github-actions repository into a subdirectory and referencing all internal actions and scripts from that subdirectory. This ensures that required actions and scripts are always available, regardless of which repository invokes the workflow.
 
 ## 1.0.0
 
diff --git a/.github/workflows/run_semgrep_scan.yml b/.github/workflows/run_semgrep_scan.yml
@@ -92,16 +92,31 @@ jobs:
       normalized_baseline: ${{ steps.semgrep.outputs.normalizedBaseline }}
 
     steps:
-      - name: Checkout code
+      - name: Checkout Calling Repo
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.commit_identifier }}
           # Full history only when diff/baseline is requested
           fetch-depth: ${{ inputs.semgrep_scan_mode == 'full' && '1' || '0' }}
 
+      - name: Checkout GHA repo
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.action_repository}}
+          ref: ${{ github.action_ref}}
+          path: action-repo
+
+      - run: |
+          echo "action repo ${{ github.action_repository}}"
+          echo "action ref ${{ github.action_ref}}"
+          echo "----"
+          ls
+          echo "-----"
+          cd action-repo
+          ls
       - name: Check for open PR (by commit)
         id: pr_check
-        uses: OpenSesame/core-github-actions/.github/actions/pr-open-check@actions/pr-open-check/2.0.0
+        uses: ./action-repo/core-github-actions/.github/actions/pr-open-check
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           commit-identifier: ${{ inputs.commit_identifier }}
@@ -135,7 +150,7 @@ jobs:
           SEMGREP_TARGETS: ${{ inputs.semgrep_targets }}
           FAIL_LEVEL: ${{ inputs.fail_severity }}
           EXTRA_ARGS: ${{ inputs.extra_args }}
-        run: node scripts/gha-lib/run-semgrep.js
+        run: node ./action-repo/scripts/gha-lib/run-semgrep.js
 
       - name: Upload Artifact
         if: ${{ steps.semgrep.outputs.totalFindings > 0 }}
@@ -265,7 +280,7 @@ jobs:
 
       - name: Upsert PR comment
         if: ${{ github.event_name == 'pull_request' || steps.pr_check.outputs.pr_exists == 'true' }}
-        uses: OpenSesame/core-github-actions/.github/actions/upsert-pr-comment@actions/upsert-pr-comment/1.0.0
+        uses: ./core-gha/.github/actions/upsert-pr-comment
         with:
           pr-number: ${{ steps.pr_check.outputs.pr_number }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
