ci: add Semgrep OSS scanning workflow

[hrushikeshdeshpande]

Summary

Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE.

What it does

• Runs on every PR, on push to the main/master branch, and monthly on a staggered schedule.
• Uses actions/cache@v5 so pip install semgrep only runs on cold cache (first run, version bump, or 7-day idle).
• Pinned to semgrep==1.160.0 with --config=auto (default OSS ruleset).
• Runs on ubuntu-slim with contents: read token scope.

For reviewers

• Findings are informational; the job does not block on findings.
• First PR after merge installs Semgrep; subsequent PRs skip that step.

See the internal App&ProdSec email for migration context, or ping us internally.

[cloudflare-workers-and-pages]

Deploying research-cloudflare-com with    Cloudflare Pages

Latest commit:	89d8d49
Status:	✅  Deploy successful!
Preview URL:	https://ae579c04.research-cloudflare-com.pages.dev
Branch Preview URL:	https://hrushikesh-add-semgrep-oss-w.research-cloudflare-com.pages.dev

View logs

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	cloudflare-research	89d8d49	Apr 23 2026, 10:54 PM

[nivekpraht]

Yes Yahoo Mail: Search, Organize, Conquer On Thu, Apr 23, 2026 at 20:24, ***@***.***> wrote: cloudflare-workers-and-pages[bot] left a comment (cloudflare/research.cloudflare.com#234) Deploying with    Cloudflare Workers The latest updates on your project. Learn more about integrating Git with Workers. | Status | Name | Latest Commit | Updated (UTC) | | 🔵 In progress View logs | cloudflare-research | 89d8d49 | Apr 23 2026, 10:53 PM | — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>