# SPDX-FileCopyrightText: © Sebastian Thomschke and contributors
# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-ArtifactOfProjectHomePage: https://github.com/Second-Hand-Friends/kleinanzeigen-bot
#
# https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
name: "CodeQL"

on:  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows
  schedule:
    # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#schedule
    - cron: '10 10 * * 1'  # Mondays 10:10 UTC
  push:
    branches: ['main', 'release']  # run only on protected branches to avoid duplicate PR runs
    tags-ignore: ['**'] # don't build tags
    paths-ignore:
    - '**/*.md'
    - '.act*'
    - '.editorconfig'
    - '.git*'
    - 'codecov.yml'
  pull_request:
    paths-ignore:
    - '**/*.md'
    - '.act*'
    - '.editorconfig'
    - '.git*'
    - 'codecov.yml'
  workflow_dispatch:
    # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch


defaults:
  run:
    shell: bash

env:
  PYTHON_VERSION: "3.14"

jobs:

  ###########################################################
  analyze:
  ###########################################################
    runs-on: ubuntu-latest
    timeout-minutes: 10

    permissions:
      # required for all workflows
      security-events: write

      # required to fetch internal or private CodeQL packs
      packages: read

      # only required for workflows in private repositories
      actions: read
      contents: read

    steps:
    - name: "Show: GitHub context"
      env:
        GITHUB_CONTEXT: ${{ toJSON(github) }}
      run: printf '%s' "$GITHUB_CONTEXT" | python -m json.tool


    - name: "Show: environment variables"
      run: env | sort


    - name: Git Checkout
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.0
      # https://github.com/actions/checkout


    - name: "Install: Python and PDM"  # https://github.com/pdm-project/setup-pdm
      uses: pdm-project/setup-pdm@94a823180e06fcde4ad29308721954a521c96ed0 # v4.4
      with:
        python-version: "${{ env.PYTHON_VERSION }}"
        cache: true


    - name: "Install: Python dependencies"
      run: |
        set -eux

        python --version
        python -m pip install --upgrade pip
        pip install --upgrade pdm
        if [[ ! -e .venv ]]; then
          pdm venv create || true
        fi
        pdm sync --clean -v


    - name: Initialize CodeQL
      uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.0.0
      # https://github.com/github/codeql-action/blob/main/init/action.yml
      with:
        languages: actions,python
        # https://github.com/github/codeql-action#build-modes
        build-mode: none
        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-queries-in-ql-packs
        queries: security-and-quality

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.0.0
      # https://github.com/github/codeql-action