# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
name: "CodeQL"

on:
  push:
    branches:
    - '**'
    tags-ignore:
    - '**'
    paths-ignore:
    - '**/*.md'
    - '.github/ISSUE_TEMPLATE/*'
    - '.github/workflows/build.yml'
    - '.github/workflows/update-python-deps.yml'
  pull_request:
    paths-ignore:
    - '**/*.md'
  schedule:
    - cron: '10 10 * * 1'
  workflow_dispatch:
    # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/

defaults:
  run:
    shell: bash

env:
  PYTHON_VERSION: "3.12"

jobs:

  ###########################################################
  analyze:
  ###########################################################
    runs-on: ubuntu-latest
    permissions:
      security-events: write

    steps:
    - name: Git checkout
      uses: actions/checkout@v4  # https://github.com/actions/checkout


    - uses: actions/setup-python@v5
      with:
        python-version: "${{ env.PYTHON_VERSION }}"


    - uses: actions/cache@v4
      with:
        path: __pypackages__
        key: ${{ runner.os }}-pypackages-${{ hashFiles('pdm.lock') }}


    - name: "Install: Python dependencies"
      run: |
        set -eux

        python --version
        python -m pip install --upgrade pip
        pip install --upgrade pdm
        pdm install -v


    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: python
        setup-python-dependencies: false


    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3  # https://github.com/github/codeql-action