From 942d9d0410c3345b8db42a1be7190799bbd1144d Mon Sep 17 00:00:00 2001
From: jiahui <bxy4543@gmail.com>
Date: Mon, 16 Oct 2023 17:10:49 +0800
Subject: [PATCH] fix semgrep ci

---
 .github/workflows/check-semgrep.yml      | 20 ++++++++++++++++----
 service/pay/deploy/manifests/deploy.yaml |  4 +++-
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/check-semgrep.yml b/.github/workflows/check-semgrep.yml
index 05287af32c4..c0a2ab55e22 100644
--- a/.github/workflows/check-semgrep.yml
+++ b/.github/workflows/check-semgrep.yml
@@ -2,11 +2,23 @@
 name: Check-Semgrep
 
 on:
-  # Scan changed files in PRs (diff-aware scanning):
-  pull_request: {}
-  # Scan mainline branches and report all findings:
+  workflow_dispatch:
   push:
-    branches: ["main"]
+    branches: [ "main" ]
+    paths-ignore:
+      - "docs/**"
+      - "**/*.md"
+      - "**/*.yaml"
+      - "CONTRIBUTORS"
+      - "CHANGELOG/**"
+  pull_request:
+    branches: [ "*" ]
+    paths-ignore:
+      - "docs/**"
+      - "**/*.md"
+      - "**/*.yaml"
+      - "CONTRIBUTORS"
+      - "CHANGELOG/**"
 
 jobs:
   semgrep:
diff --git a/service/pay/deploy/manifests/deploy.yaml b/service/pay/deploy/manifests/deploy.yaml
index d6ec792b673..4eda89dd5a4 100644
--- a/service/pay/deploy/manifests/deploy.yaml
+++ b/service/pay/deploy/manifests/deploy.yaml
@@ -47,7 +47,9 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      securityContext:
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
       terminationGracePeriodSeconds: 30
 ---
 apiVersion: v1