name: SAST

on:
  pull_request: {}
  push:
    branches:
      - develop
      - release/*
  workflow_dispatch: {}

jobs:
  semgrep:
    timeout-minutes: 5
    name: Semgrep SAST
    runs-on: ubuntu-22.04
    permissions:
      # required for all workflows
      security-events: write
      # only required for workflows in private repositories
      actions: read
      contents: read

    if: (github.actor != 'dependabot[bot]')

    steps:
      - uses: actions/checkout@v4
      - uses: Kong/public-shared-actions/security-actions/semgrep@a18abf762d6e2444bcbfd20de70451ea1e3bc1b1 # 4.0.1