TMP

.config/semgrep/strict.yaml

@@ -5,7 +5,10 @@ rules:
           def $FUNC(...):
             ...
       - pattern: |
-          "...evil..."
-    message: "Function '$FUNC' contains evil"
+          "=~/.*evil1.*$/"
+      # TODO somehow allow matching a separate node
+      - pattern: |
+          "=~/.*evil2.*$/"
+    message: "Function '$FUNC' contains evil1 and evil2"
     languages: [python]
     severity: ERROR

.github/workflows/semgrep.yaml

@@ -93,7 +93,7 @@ jobs:
           # But we want a pinned version of the tools for security
           # given that we need to give GitHub API access
           #
-          # Use `github-pr-check` here AND `fail-on-error`. The CI check stops you from missing
+          # Use `github-pr-check` here AND `fail-level=any` (fail). The CI check stops you from missing
           # them and the `github-pr-check` is less noisy than emitting a full PR review.
           jq -r '.results[] | "E:\(.path):\(.end.line) \(.extra.message)"' semgrep-strict.json \
           | reviewdog \
@@ -101,5 +101,5 @@ jobs:
               -name="semgrep-strict" \
               -reporter=github-pr-check \
               -filter-mode=added \
-              -fail-on-error=true \
+              -fail-level=any \
               -level=error

synapse/storage/databases/main/sticky_events.py

@@ -134,12 +134,11 @@ class StickyEventsWorkerStore(StateGroupWorkerStore, CacheInvalidationWorkerStor
         """
 
         print("evil")
+        print("the forces are here")
 
         return self._sticky_events_id_gen.get_current_token()
 
     def get_sticky_events_stream_id_generator(self) -> MultiWriterIdGenerator:
-        print("the forces of evil are here")
-
         return self._sticky_events_id_gen
 
     async def get_sticky_events_in_rooms(