docs(ci): document Semgrep gating via Finalize / Final Status

[mbiuki]

Proposed Changes

• Documents the new Semgrep gating model in .github/workflows/README.md: Semgrep blocks PRs from entering the merge queue via the PR workflow's Finalize / Final Status (the semgrep job is in finalize's needs), not via a required status check.
• Records the warning to never add semgrep-cloud-platform/scan to required status checks or re-enable the disabled "Default Merge Queue" ruleset (id 3651671) as-is — the Semgrep Cloud app never posts that check on merge_group commits, which caused the 2026-05-19 merge-queue outage.
• Documents the controlling repo variables DISABLE_SEMGREP and SEMGREP_NO_FAIL.

This is the documentation part of Option A from dotCMS/private-issues#630. The functional part is repo-variable changes (no code): DISABLE_SEMGREP=false (done) and SEMGREP_NO_FAIL=false (after canary verification).

🤖 Generated with Claude Code

[github-actions]

❌ Linked Issue Needs Team Label

This PR is linked to issue #630, but that issue has no Team : * label. Every linked issue must be owned by a team for tracking and triage.

How to fix this:

Apply a Team : * label to the linked issue (e.g., Team : Scout, Team : Platform, Team : Falcon, Team : Maintenance). Then push a new commit or edit the PR description to re-run this check.

---

This comment was automatically generated by the issue linking workflow

[claude]

Claude finished @mbiuki's task in 56s —— View job

---

Rollback Safety Analysis

• Read rollback-unsafe categories reference
• Get full PR diff
• Analyze diff against unsafe categories
• Apply appropriate label

---

Result: ✅ Safe To Rollback

The only changed file is .github/workflows/README.md — 8 lines of documentation added to the Critical Information section documenting the Semgrep gating model.

Analysis against all unsafe categories:

Category	Match?
C-1 Structural Data Model Change	❌ No DB changes
C-2 Elasticsearch Mapping Change	❌ No ES changes
C-3 Content JSON Model Version Bump	❌ No model changes
C-4 DROP TABLE / DROP COLUMN	❌ No schema changes
H-1 One-Way Data Migration	❌ No data migration
H-2 RENAME TABLE / COLUMN	❌ No renames
H-3 PK Restructuring	❌ No PK changes
H-4 New ContentType Field Type	❌ No field type changes
H-5 Binary Storage Provider Change	❌ No storage changes
H-6 DROP PROCEDURE / FUNCTION	❌ No procedure drops
H-7 NOT NULL Column Without Default	❌ No schema changes
M-1 Non-Broadening Column Type Change	❌ No column changes
M-2 Push Publishing Bundle Format Change	❌ No bundle changes
M-3 REST / GraphQL API Contract Change	❌ No API changes
M-4 OSGi Plugin API Breakage	❌ No interface changes

This is a pure documentation change with no code, schema, or configuration impact. Label AI: Safe To Rollback has been applied.

[github-actions]

🤖 Codex Review — openai.gpt-5.5

No findings.

---

_{Run: #27429838028 · tokens: in: 823 · out: 182 (reasoning: 173) · total: 1005}