.github/workflows/codeql.yml

#
# SPDX-FileCopyrightText: 2023 Lifely
# SPDX-License-Identifier: EUPL-1.2+
#
name: "CodeQL"

on:
  pull_request:
    branches: [main]
  merge_group:
  schedule:
    - cron: "21 11 * * 0"

env:
  JAVA_VERSION: "21"

jobs:
  paths-ignore:
    runs-on: ubuntu-latest
    outputs:
      skip: ${{ steps.paths-ignore.outputs.skip }}
    steps:
      - name: Skip job when only Markdown files are changed
        uses: kunitsucom/github-actions-paths-ignore-alternative@3800eba25a9d716029cd1db0439cb9194431cc5c # v0.0.4
        id: paths-ignore
        with:
          paths-ignore: |-
            ^.*\.md$
            ^helm/

  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    needs: paths-ignore
    if: ${{ needs.paths-ignore.outputs.skip != 'true' }}
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: ["java-kotlin", "javascript-typescript"]
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup JDK
        if: matrix.language == 'java-kotlin'
        uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
        with:
          java-version: ${{ env.JAVA_VERSION }}
          distribution: "temurin"

      - name: Setup Gradle
        if: matrix.language == 'java-kotlin'
        uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2

      - name: Initialize CodeQL
        uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
        uses: github/codeql-action/autobuild@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
        with:
          category: "/language:${{matrix.language}}"

  check_codeql_status:
    name: Check CodeQL Status
    needs:
      - analyze
      - paths-ignore
    runs-on: ubuntu-latest
    permissions:
      contents: read
      checks: read
      pull-requests: read
    if: ${{ needs.paths-ignore.outputs.skip != 'true' && github.event_name == 'pull_request' }}
    steps:
      - name: Check CodeQL Status
        uses: eldrick19/code-scanning-status-checker@868f78ef588214f12e365604583b7673d18941ce # v2.0.1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          pr_number: ${{ github.event.pull_request.number }}
          repo: ${{ github.repository }}