From 15449dcfc0705d5359ee2741d669c846b8e8ef3a Mon Sep 17 00:00:00 2001
From: Olivier 'reivilibre <oliverw@matrix.org>
Date: Mon, 16 Mar 2026 13:43:20 +0000
Subject: [PATCH] TMP

---
 .config/semgrep/strict.yaml                     | 7 +++++--
 .github/workflows/semgrep.yaml                  | 4 ++--
 synapse/storage/databases/main/sticky_events.py | 3 +--
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.config/semgrep/strict.yaml b/.config/semgrep/strict.yaml
index ebd8888404..29b544e3e0 100644
--- a/.config/semgrep/strict.yaml
+++ b/.config/semgrep/strict.yaml
@@ -5,7 +5,10 @@ rules:
           def $FUNC(...):
             ...
       - pattern: |
-          "...evil..."
-    message: "Function '$FUNC' contains evil"
+          "=~/.*evil1.*$/"
+      # TODO somehow allow matching a separate node
+      - pattern: |
+          "=~/.*evil2.*$/"
+    message: "Function '$FUNC' contains evil1 and evil2"
     languages: [python]
     severity: ERROR
diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml
index 3800a1b5ab..192b601b27 100644
--- a/.github/workflows/semgrep.yaml
+++ b/.github/workflows/semgrep.yaml
@@ -93,7 +93,7 @@ jobs:
           # But we want a pinned version of the tools for security
           # given that we need to give GitHub API access
           #
-          # Use `github-pr-check` here AND `fail-on-error`. The CI check stops you from missing
+          # Use `github-pr-check` here AND `fail-level=any` (fail). The CI check stops you from missing
           # them and the `github-pr-check` is less noisy than emitting a full PR review.
           jq -r '.results[] | "E:\(.path):\(.end.line) \(.extra.message)"' semgrep-strict.json \
           | reviewdog \
@@ -101,5 +101,5 @@ jobs:
               -name="semgrep-strict" \
               -reporter=github-pr-check \
               -filter-mode=added \
-              -fail-on-error=true \
+              -fail-level=any \
               -level=error
diff --git a/synapse/storage/databases/main/sticky_events.py b/synapse/storage/databases/main/sticky_events.py
index b633bc7d95..194eb65290 100644
--- a/synapse/storage/databases/main/sticky_events.py
+++ b/synapse/storage/databases/main/sticky_events.py
@@ -134,12 +134,11 @@ class StickyEventsWorkerStore(StateGroupWorkerStore, CacheInvalidationWorkerStor
         """
 
         print("evil")
+        print("the forces are here")
 
         return self._sticky_events_id_gen.get_current_token()
 
     def get_sticky_events_stream_id_generator(self) -> MultiWriterIdGenerator:
-        print("the forces of evil are here")
-
         return self._sticky_events_id_gen
 
     async def get_sticky_events_in_rooms(