refactor: use reusable workflow for semgrep

[dvarasani-crest]

Updated the build-test-release workflow to use sast-scan owned by product security team instead of using custom implementation.
Ref: https://splunk.atlassian.net/browse/ADDON-72309

Test workflow run: https://github.com/splunk/splunk-add-on-for-servicenow/actions/runs/10596615468
Tested on PR: https://github.com/splunk/splunk-add-on-for-servicenow/pull/751

Workflow is not tested for the failure scenario because we need to have blocker findings by the semgrep in order to fail the workflow. Currently all rules are in monitor mode so any findings by the semgrep will be non-blocker resulting in semgrep stage to pass everytime.
Discussion with the semgrep team: https://splunk.slack.com/archives/C011ELTV7FG/p1724923496371529

[mkolasinski-splunk]

LGTM.
Regarding GHAS and failing job when blocking issues are found - let's postpone on that once we figure out possible solutions.
@pawel-dabro are you also fine with releasing this change?

edit: @dvarasani-crest please extend description of the PR with issues with triggering true positives and limitations of failing job that you faced

[kdoroszko-splunk]

Have you seen this error in the test run:

The workflow is not valid. .github/workflows/build-test-release.yml (Line: 25, Col: 3): Error calling workflow 'splunk/addonfactory-workflow-addon-release/.github/workflows/reusable-build-test-release.yml@chore/use-reusable-workflow-for-semgrep'. The nested job 'semgrep' is requesting 'actions: write, attestations: write, deployments: write, discussions: write, issues: write, pages: write, pull-requests: write, repository-projects: write, security-events: write, id-token: write', but is only allowed 'actions: read, attest[...] ?

[dvarasani-crest]

Have you seen this error in the test run: The workflow is not valid. .github/workflows/build-test-release.yml (Line: 25, Col: 3): Error calling workflow 'splunk/addonfactory-workflow-addon-release/.github/workflows/reusable-build-test-release.yml@chore/use-reusable-workflow-for-semgrep'. The nested job 'semgrep' is requesting 'actions: write, attestations: write, deployments: write, discussions: write, issues: write, pages: write, pull-requests: write, repository-projects: write, security-events: write, id-token: write', but is only allowed 'actions: read, attest[...] ?

This error was observed when I tried to add upload_result: true in the semgrep action which also requires to add permissions: write-all. I have reverted that change and it should be working fine now.
Latest test workflow run after reverting those changes: https://github.com/splunk/splunk-add-on-for-servicenow/actions/runs/10596615468/job/29463986478

[mkolasinski-splunk]

Have you seen this error in the test run: The workflow is not valid. .github/workflows/build-test-release.yml (Line: 25, Col: 3): Error calling workflow 'splunk/addonfactory-workflow-addon-release/.github/workflows/reusable-build-test-release.yml@chore/use-reusable-workflow-for-semgrep'. The nested job 'semgrep' is requesting 'actions: write, attestations: write, deployments: write, discussions: write, issues: write, pages: write, pull-requests: write, repository-projects: write, security-events: write, id-token: write', but is only allowed 'actions: read, attest[...] ?

@kdoroszko-splunk It's strange that this issue is reported there; Just to be sure I triggered another wf and looks good:
https://github.com/splunk/splunk-add-on-for-servicenow/actions/runs/10629744350

[srv-rr-github-token]

🎉 This PR is included in version 4.17.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀