Fix call from other repos

[sarasvoss]

PR Summary

Jira: https://opensesame.atlassian.net/browse/CORE-5245

Description of Changes

Repo-qualified internal action references to ensure correct resolution when run_semgrep_scan workflow is called from other repositories. This change allows the workflow to reliably locate and use the intended actions, regardless of the calling repository context.

Versioning

⚠️ Components in this repo are used by multiple repos and teams. Breaking changes to non-versioned components are high-risk. Always apply correct versioning to versioned components to ensure safe, controlled updates.

Does this PR modify a versioned component?

• No — label this PR with version:untracked
• Yes
  • Add a version label: version:<component-name>/X.Y.Z
  • Ensure the component’s CHANGELOG.md includes a ## X.Y.Z entry
  • Use version:untracked only if changes do not alter behavior, inputs, or outputs

If version labels are incorrect or missing, automated version validation will fail and block merge.

Dependencies of PR

N/A

Testing

tested internally with this repo's GHA run
won't know if the fix works until merged and called from another repo

[github-actions]

Tags

The following tags will be created on main after merge

🏷️ workflows/run_semgrep_scan/1.0.1
🏷️ actions/run-semgrep/1.0.0

[Copilot]

Pull request overview

This PR fixes action reference resolution in the run_semgrep_scan workflow by replacing relative paths with fully-qualified repository references. This ensures the workflow can correctly locate internal actions when called from external repositories.

Changes:

• Updated action references in run_semgrep_scan.yml to use fully-qualified paths with version tags
• Updated documentation examples to reflect the new fully-qualified reference pattern
• Added changelog entry documenting the fix

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/run_semgrep_scan.yml	Updated two action references (pr-open-check and upsert-pr-comment) from relative to fully-qualified paths
.github/workflows/CHANGELOGS/run_semgrep_scan.md	Added version 1.0.1 changelog entry documenting the fix
.github/actions/upsert-pr-comment/README.md	Updated example usage to show fully-qualified action reference
.github/actions/pr-open-check/README.md	Updated example usage to show fully-qualified action reference
.github/actions/TEMPLATE/README_TEMPLATE.md	Updated template to use fully-qualified action reference pattern

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Missing space before closing braces in GitHub context variables. Should be ${{ github.action_repository }} and ${{ github.action_ref }}.

Suggested change

	repository: ${{ github.action_repository}}
	ref: ${{ github.action_ref}}
	repository: ${{ github.action_repository }}
	ref: ${{ github.action_ref }}

[Copilot]

Debug command ls should be removed before merging to production. This appears to be a leftover debugging statement.

Suggested change

- run: ls

[Copilot]

Inconsistent subdirectory naming. The checkout uses path: action-repo (line 107) but this reference uses core-gha. Should be ./action-repo/.github/actions/upsert-pr-comment to match the checkout path.

Suggested change

	uses: ./core-gha/.github/actions/upsert-pr-comment
	uses: ./action-repo/.github/actions/upsert-pr-comment

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Missing space before closing braces in template expressions. Should be github.action_repository }} and github.action_ref }}.

Suggested change

	repository: ${{ github.action_repository}}
	ref: ${{ github.action_ref}}
	path: action-repo
	- run: |
	echo "action repo ${{ github.action_repository}}"
	echo "action ref ${{ github.action_ref}}"
	repository: ${{ github.action_repository }}
	ref: ${{ github.action_ref }}
	path: action-repo
	- run: |
	echo "action repo ${{ github.action_repository }}"
	echo "action ref ${{ github.action_ref }}"

[Copilot]

This debug step should be removed before merging. It contains temporary debugging commands (echo, ls) that are not needed in production.

Suggested change

	- run: |
	echo "action repo ${{ github.action_repository}}"
	echo "action ref ${{ github.action_ref}}"
	echo "----"
	ls
	echo "-----"
	cd action-repo
	ls

[Copilot]

The path includes redundant core-github-actions directory. Since the repository is checked out to action-repo, the path should be ./action-repo/.github/actions/pr-open-check.

Suggested change

	uses: ./action-repo/core-github-actions/.github/actions/pr-open-check
	uses: ./action-repo/.github/actions/pr-open-check

[github-actions]

❌ Semgrep Security Scan Failed

🎉 No security issues found!

View run
_{🤖 Powered by Semgrep + reviewdog}

[Copilot]

Pull request overview

Copilot reviewed 15 out of 18 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 15 out of 18 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The changelog description mentions 'checking out the core-github-actions repository into a subdirectory', but the actual implementation uses fully-qualified action references (e.g., OpenSesame/core-github-actions/.github/actions/pr-open-check@actions/pr-open-check/2.0.0) without checking out into a subdirectory. The description should be updated to accurately reflect that the workflow now uses repository-qualified action paths instead of checking out into subdirectories.

Suggested change

	- Updated workflow to support cross-repository usage by checking out the core-github-actions repository into a subdirectory and referencing all internal actions and scripts from that subdirectory. This ensures that required actions and scripts are always available, regardless of which repository invokes the workflow.
	- Updated workflow to support cross-repository usage by referencing internal actions and scripts via fully-qualified paths to the `OpenSesame/core-github-actions` repository (for example, `OpenSesame/core-github-actions/.github/actions/...@...`). This ensures that required actions and scripts are always available, regardless of which repository invokes the workflow.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 21 changed files in this pull request and generated 3 comments.

Files not reviewed (1)

• .github/actions/run-semgrep/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The test file imports validateEnvVar from ./env-helpers, but based on the diff in run-semgrep.js (line 4), this module should exist. However, the env-helpers.js file is not present in the provided diffs. If this file was not moved or created as part of this PR, the tests and the main script will fail at runtime.

Suggested change

	const { validateEnvVar } = require('./env-helpers');
	function validateEnvVar(name) {
	if (!process.env[name]) {
	console.error(`::error::Environment variable ${name} is required`);
	process.exit(1);
	}
	}

[Copilot]

The new test file only tests the validateEnvVar helper function. The original test file (scripts/gha-lib/run-semgrep.unit.test.js) contained comprehensive tests for multiple functions including getPrBaseBranch, normalizeBaseline, constructSemgrepCommand, stageResultsForReviewdog, getSemgrepMetrics, writeFindingsMarkdown, writeConfigMarkdown, and evaluateScanStatus. These tests should be preserved and updated to work with the new file location.