fix: suppress Codacy semgrep workflow_run checkout warning

JE-Chen · JE-Chen · commit 9b48a4fffb79 · 2026-04-28T23:03:29.000+08:00
Add a yaml.github-actions.security.workflow-run-target-code-checkout
nosemgrep marker on the actions/checkout step in publish-pypi.yml.
The rule fires on any workflow_run+checkout combination, but the
job's if-clause already gates on workflow_run.head_branch == 'main'
and workflow_run.event != 'pull_request', so a fork PR head can
never reach this checkout. The check is supplemented by pinning
the ref to workflow_run.head_sha.
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -23,6 +23,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      # nosemgrep: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout
+      # The job's `if` already gates on workflow_run.head_branch == 'main'
+      # and workflow_run.event != 'pull_request', so a fork PR head can
+      # never reach this checkout. We pin to workflow_run.head_sha to
+      # publish exactly the commit that passed CI on main.
       - name: Checkout the exact commit that passed CI
         uses: actions/checkout@v4
         with:
