Add semgrep and fix findings

.github/workflows/build-release.yml

@@ -39,9 +39,13 @@ jobs:
 
       - name: Determine version
         id: version
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_LABELS: ${{ join(github.event.pull_request.labels.*.name, ',') }}
         run: |
-          if [ -n "${{ github.event.inputs.version }}" ]; then
-            VERSION="${{ github.event.inputs.version }}"
+          if [ -n "$INPUT_VERSION" ]; then
+            VERSION="$INPUT_VERSION"
             echo "Using manually specified version: ${VERSION}"
           else
             # Get the latest semver tag (ignore 'latest' tag), or use 0.0.0 if no tags exist
@@ -54,19 +58,18 @@ jobs:
             echo "Latest semver tag found: ${LATEST_TAG}"
             # Remove 'v' prefix if present
             LATEST_VERSION=${LATEST_TAG#v}
-            
+
             # Parse version components
             IFS='.' read -r -a VERSION_PARTS <<< "$LATEST_VERSION"
             MAJOR=${VERSION_PARTS[0]:-0}
             MINOR=${VERSION_PARTS[1]:-0}
             PATCH=${VERSION_PARTS[2]:-0}
-            
+
             # Determine bump type from PR labels
             BUMP_TYPE="patch"  # Default to patch
-            if [ "${{ github.event_name }}" == "pull_request" ]; then
-              PR_LABELS="${{ join(github.event.pull_request.labels.*.name, ',') }}"
+            if [ "$EVENT_NAME" == "pull_request" ]; then
               echo "PR Labels: ${PR_LABELS}"
-              
+
               if echo "${PR_LABELS}" | grep -q "major"; then
                 BUMP_TYPE="major"
               elif echo "${PR_LABELS}" | grep -q "minor"; then
@@ -75,9 +78,9 @@ jobs:
                 BUMP_TYPE="patch"
               fi
             fi
-            
+
             echo "Bump type: ${BUMP_TYPE}"
-            
+
             # Increment version based on bump type
             case "${BUMP_TYPE}" in
               major)
@@ -93,7 +96,7 @@ jobs:
                 PATCH=$((PATCH + 1))
                 ;;
             esac
-            
+
             VERSION="${MAJOR}.${MINOR}.${PATCH}"
             echo "Bumping from ${LATEST_VERSION} to ${VERSION} (${BUMP_TYPE})"
           fi

.github/workflows/e2e.yml

@@ -68,22 +68,33 @@ jobs:
 
     - name: Send failure event to PostHog
       if: failure()
+      env:
+        COMMIT_SHA: ${{ github.sha }}
+        JOB_STATUS: ${{ job.status }}
+        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+        COMMIT_AUTHOR: ${{ github.event.head_commit.author.name }}
+        GH_REF: ${{ github.ref }}
+        GH_WORKFLOW: ${{ github.workflow }}
+        RUN_ID: ${{ github.run_id }}
+        RUN_NUMBER: ${{ github.run_number }}
+        JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        MATRIX_EXAMPLE: ${{ matrix.example }}
       run: |
         curl -X POST https://webhooks.us.posthog.com/public/webhooks/019a7a81-7961-0000-d3e3-b5f34cc2a32b \
           -H "Content-Type: application/json" \
-          -d '{
-            "event": "posthog-examples-repo-test-failure",
-            "commitSha": "${{ github.sha }}",
-            "jobStatus": "${{ job.status }}",
-            "commitMessage": "${{ github.event.head_commit.message }}",
-            "commitAuthor": "${{ github.event.head_commit.author.name }}",
-            "ref": "${{ github.ref }}",
-            "workflow": "${{ github.workflow }}",
-            "runId": "${{ github.run_id }}",
-            "runNumber": "${{ github.run_number }}",
-            "jobUrl": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
-            "matrixExample": "${{ matrix.example }}"
-          }'
+          -d "$(jq -n \
+            --arg event "posthog-examples-repo-test-failure" \
+            --arg commitSha "$COMMIT_SHA" \
+            --arg jobStatus "$JOB_STATUS" \
+            --arg commitMessage "$COMMIT_MESSAGE" \
+            --arg commitAuthor "$COMMIT_AUTHOR" \
+            --arg ref "$GH_REF" \
+            --arg workflow "$GH_WORKFLOW" \
+            --arg runId "$RUN_ID" \
+            --arg runNumber "$RUN_NUMBER" \
+            --arg jobUrl "$JOB_URL" \
+            --arg matrixExample "$MATRIX_EXAMPLE" \
+            '{event: $event, commitSha: $commitSha, jobStatus: $jobStatus, commitMessage: $commitMessage, commitAuthor: $commitAuthor, ref: $ref, workflow: $workflow, runId: $runId, runNumber: $runNumber, jobUrl: $jobUrl, matrixExample: $matrixExample}')"
 
     - uses: actions/upload-artifact@v4
       if: always()

.github/workflows/integration.yml

@@ -70,22 +70,33 @@ jobs:
 
     - name: Send failure event to PostHog
       if: failure()
+      env:
+        COMMIT_SHA: ${{ github.sha }}
+        JOB_STATUS: ${{ job.status }}
+        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+        COMMIT_AUTHOR: ${{ github.event.head_commit.author.name }}
+        GH_REF: ${{ github.ref }}
+        GH_WORKFLOW: ${{ github.workflow }}
+        RUN_ID: ${{ github.run_id }}
+        RUN_NUMBER: ${{ github.run_number }}
+        JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        MATRIX_EXAMPLE: ${{ matrix.example }}
       run: |
         curl -X POST https://webhooks.us.posthog.com/public/webhooks/019a7a81-7961-0000-d3e3-b5f34cc2a32b \
           -H "Content-Type: application/json" \
-          -d '{
-            "event": "posthog-examples-repo-test-failure",
-            "commitSha": "${{ github.sha }}",
-            "jobStatus": "${{ job.status }}",
-            "commitMessage": "${{ github.event.head_commit.message }}",
-            "commitAuthor": "${{ github.event.head_commit.author.name }}",
-            "ref": "${{ github.ref }}",
-            "workflow": "${{ github.workflow }}",
-            "runId": "${{ github.run_id }}",
-            "runNumber": "${{ github.run_number }}",
-            "jobUrl": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
-            "example": "${{ matrix.example }}"
-          }'
+          -d "$(jq -n \
+            --arg event "posthog-examples-repo-test-failure" \
+            --arg commitSha "$COMMIT_SHA" \
+            --arg jobStatus "$JOB_STATUS" \
+            --arg commitMessage "$COMMIT_MESSAGE" \
+            --arg commitAuthor "$COMMIT_AUTHOR" \
+            --arg ref "$GH_REF" \
+            --arg workflow "$GH_WORKFLOW" \
+            --arg runId "$RUN_ID" \
+            --arg runNumber "$RUN_NUMBER" \
+            --arg jobUrl "$JOB_URL" \
+            --arg example "$MATRIX_EXAMPLE" \
+            '{event: $event, commitSha: $commitSha, jobStatus: $jobStatus, commitMessage: $commitMessage, commitAuthor: $commitAuthor, ref: $ref, workflow: $workflow, runId: $runId, runNumber: $runNumber, jobUrl: $jobUrl, example: $example}')"
 
     - uses: actions/upload-artifact@v4
       if: always()

.github/workflows/security.yml

@@ -0,0 +1,28 @@
+name: Security
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  semgrep-general:
+    name: Semgrep General
+    runs-on: ubuntu-24.04
+    container:
+      image: returntocorp/semgrep
+    env:
+      SEMGREP_ENABLE_VERSION_CHECK: 'false'
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          semgrep \
+            --config "p/owasp-top-ten" \
+            --config "p/security-audit" \
+            --config "p/trailofbits" \
+            --config "p/github-actions" \
+            --error \
+            --metrics=off \
+            --verbose \
+            .