From 03da6d58a42aeff99cc28b0496a66a6215c63910 Mon Sep 17 00:00:00 2001
From: JonKazama-Hellion <f.wathling@gmail.com>
Date: Sat, 9 May 2026 12:08:08 +0200
Subject: [PATCH] ci: fix semgrep rule ID for csharp-sqli exclusion

Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is
csharp.lang.security.sqli.csharp-sqli and the rule inside it is also
called csharp-sqli, so the full ID needs the trailing .csharp-sqli
again. Without it the exclude flag silently filters a different
subset of rules and the actual rule still runs.
---
 .gitea/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml
index 665c049..922c9dc 100644
--- a/.gitea/workflows/security.yml
+++ b/.gitea/workflows/security.yml
@@ -17,5 +17,5 @@ jobs:
       # local-only inside a Dalamud plugin. Semgrep matches the pattern
       # without dataflow, so it flags those eight call sites; CodeQL
       # would not. Suppressed for this repo only.
-      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli'
+      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'