# SPDX-FileCopyrightText: 2024 Emil Velikov <emil.l.velikov@gmail.com>
# SPDX-FileCopyrightText: 2024 Lucas De Marchi <lucas.de.marchi@gmail.com>
#
# SPDX-License-Identifier: LGPL-2.1-or-later

name: CodeQL

on:
  push:
    branches: [master, ci-test]
  pull_request:
    branches: [master]
  schedule:
    - cron: "30 2 * * 0"

permissions:
  contents: read

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        include:
          - container: 'ubuntu:24.04'

    container:
      image: ${{ matrix.container }}

    steps:
      - name: Sparse checkout the local actions
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
        with:
          sparse-checkout: .github

      - uses: ./.github/actions/setup-ubuntu
        if: ${{ startsWith(matrix.container, 'ubuntu') }}

      - name: Checkout the whole project
        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

      - name: Set the environment
        run: |
          # The second checkout above claims to set safe.directory, yet it
          # doesn't quite work. Perhaps our double/sparse checkout is to blame?
          git config --global --add safe.directory '*'

      - name: Initialize CodeQL
        uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
        with:
          languages: cpp
          queries: +security-and-quality

      - name: Build
        run: |
          mkdir build && cd build
          meson setup --native-file ../build-dev.ini . ..
          meson compile

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
        with:
          category: "/language:cpp"