update amplify

.github/workflows/amplify.yml

@@ -1,28 +1,22 @@
-# .github/workflows/amplify.yml
-name: Amplify Security # do not modify this line
+---
+name: Amplify Security
 on:
-  pull_request: {} # run for all PRs
-  workflow_dispatch: {} # allow manual runs through GitHub UI
+  pull_request: {}
+  workflow_dispatch: {}
   push:
-    branches: ["master", "main"] # add additional iteration or release branch patterns here
+    branches: ["master", "main"]
+
 permissions:
-  contents: read # declare default permissions for GITHUB_TOKEN
+  contents: read
+  id-token: write
+
 jobs:
   amplify-security-scan:
+    name: Amplify Security Scan
     runs-on: ubuntu-latest
-    container:
-      image: returntocorp/semgrep
-    if: (github.actor != 'dependabot[bot]')
+    if: (!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]')
     steps:
-      - uses: actions/checkout@v3
-      - run: semgrep ci --config auto --json > amplify-sast.json || true
-        env:
-          SEMGREP_RULES: >-
-            p/security-audit
-            p/secrets
-      # do not modify this step
-      - uses: actions/upload-artifact@v3
-        with:
-          name: amplify-scan
-          path: amplify-sast.json
-          retention-days: 7
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Amplify Runner
+        uses: amplify-security/runner-action@main