ci: add Semgrep OSS scanning workflow

[hrushikeshdeshpande]

Summary

Adds Semgrep Community Edition (OSS) scanning to this repository as part of the App&ProdSec team's migration from Semgrep Pro to Semgrep CE, plus a fix for the closed-WebSocket replay race in agents/chat.

Semgrep workflow

• Runs on every PR, on push to the main/master branch, and on the first Saturday of each month.
• Uses actions/cache@v5 so pip install semgrep only runs on cold cache (first run, version bump, or 7-day idle).
• Pinned to semgrep==1.160.0 with --config=auto (default OSS ruleset).
• Runs on ubuntu-slim with contents: read token scope.
• A small gate job filters scheduled runs to the first 7 days of the month so the schedule means "first Saturday only" without relying on POSIX cron's day-of-month / day-of-week OR semantics.

Closed-WebSocket replay race (agents/chat)

• ResumableStream.replayChunks and replayCompletedChunksByRequestId route every connection.send() through a sendIfOpen helper that swallows the TypeError: WebSocket send() after close race and reports failure to the caller.
• The matching fallback in @cloudflare/ai-chat's stream-resume ACK handler also goes through sendIfOpen.
• If the socket drops mid-replay during replayChunks, the stream is left active so the next reconnect can retry from the start. The orphan-cleanup branch still calls complete() and returns the stream id even if the final done send misses, so the caller persists the reconstructed message regardless of whether this particular socket received the frame.

Review & Testing Checklist for Human

• Confirm the gate job + 0 0 * * 6 cron is acceptable for the App&ProdSec team's "monthly, staggered" intent (vs. accepting the original ~10x/month POSIX-OR schedule).
• Sanity check that triggering this workflow via workflow_dispatch on main after merge produces a Semgrep findings summary as expected.
• (Optional) Decide whether @cloudflare/think's _handleStreamResumeAck fallback should mirror the sendIfOpen change here in a follow-up PR — Devin Review flagged the same pattern in packages/think/src/think.ts:2601, but the original author marked the think.ts path as out of this PR's scope.

Notes

• Devin Review feedback addressed in this PR: bumped actions/checkout@v6 for consistency, gated the cron schedule, and wrapped the remaining bare connection.send() calls in replayChunks.
• The @cloudflare/think consumer of replayCompletedChunksByRequestId still uses a bare connection.send() and was intentionally left out of scope here.

Link to Devin session: https://app.devin.ai/sessions/303193c332f24e08b4c8525adb58e285
Requested by: @whoiskatrin

---

[changeset-bot]

🦋 Changeset detected

Latest commit: fdd982c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
agents	Patch
@cloudflare/ai-chat	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[pkg-pr-new]

Open in StackBlitz

agents

npm i https://pkg.pr.new/agents@1376

@cloudflare/ai-chat

npm i https://pkg.pr.new/@cloudflare/ai-chat@1376

@cloudflare/codemode

npm i https://pkg.pr.new/@cloudflare/codemode@1376

hono-agents

npm i https://pkg.pr.new/hono-agents@1376

@cloudflare/shell

npm i https://pkg.pr.new/@cloudflare/shell@1376

@cloudflare/think

npm i https://pkg.pr.new/@cloudflare/think@1376

@cloudflare/voice

npm i https://pkg.pr.new/@cloudflare/voice@1376

@cloudflare/worker-bundler

npm i https://pkg.pr.new/@cloudflare/worker-bundler@1376

commit: fdd982c

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 11 additional findings in Devin Review.