ci: add Semgrep OSS scanning workflow

[hrushikeshdeshpande]

Summary

Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE.

What it does

• Runs on every PR, on push to the main/master branch, and monthly on a staggered schedule.
• Uses actions/cache@v5 so pip install semgrep only runs on cold cache (first run, version bump, or 7-day idle).
• Pinned to semgrep==1.160.0 with --config=auto (default OSS ruleset).
• Runs on ubuntu-slim with contents: read token scope.

For reviewers

• Findings are informational; the job does not block on findings.
• First PR after merge installs Semgrep; subsequent PRs skip that step.

See the internal App&ProdSec email for migration context, or ping us internally.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3e84aa0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npx https://pkg.pr.new/cloudflare/ai/ai-gateway-provider@508

npx https://pkg.pr.new/cloudflare/ai/@cloudflare/tanstack-ai@508

npx https://pkg.pr.new/cloudflare/ai/workers-ai-provider@508

commit: 3e84aa0