ci: add github workflow to lint files using semgrep

Author: galbwe

.github/workflows/semgrep.yml

@@ -0,0 +1,28 @@
+name: Semgrep
+
+# Semgrep is a static analysis tool to lint code for patterns we want to forbid
+# https://github.com/returntocorp/semgrep
+
+permissions:
+  contents: read
+
+on: [workflow_dispatch, pull_request, push]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Semgrep - Lint
+    runs-on: ubuntu-20.04
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - name: Check out ockam repository
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+      - name: Run Semgrep
+        # .semgrepignore is not processed outside of working directory. See https://github.com/returntocorp/semgrep/issues/5669
+        run: |
+          mv tools/semgrep/.semgrepignore . & \
+          semgrep --verbose --config="r2c" --config="tools/semgrep/rules/example.yaml"

tools/semgrep/.semgrepignore

@@ -0,0 +1 @@
+.gitignore

tools/semgrep/rules/example.yaml

@@ -0,0 +1,7 @@
+rules:
+- id: is-comparison
+  languages:
+    - python
+  message: The operator 'is' is for reference equality, not value equality! Use `==` instead!
+  pattern: $SOMEVAR is "..."
+  severity: ERROR