name: "Code Analysis"

on:
  push:
    branches: [master]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [master]
  schedule:
    - cron: '37 1 * * 4'

jobs:
  create-matrix:
    runs-on: ubuntu-latest
    steps:
      - name: Get languages from repo
        id: set-matrix
        uses: advanced-security/set-codeql-language-matrix@v1
        with:
          access-token: ${{ github.token }}
          endpoint: ${{ github.event.repository.languages_url }}
    outputs:
      matrix: ${{ steps.set-matrix.outputs.languages }}

  analyze:
    name: Analyze
    needs: create-matrix
    if: ${{ needs.create-matrix.outputs.matrix != '[]' && github.repository == 'photoview/photoview' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          # Run further tests
          queries: security-extended, security-and-quality

      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{ matrix.language }}"

  anchore:
    name: Anchore scan code dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Generate report
        id: scan
        uses: anchore/scan-action@v4
        with:
          path: "."
          fail-build: false
          add-cpes-if-none: true

      - name: Upload report
        uses: github/codeql-action/upload-sarif@v3
        if: ${{ steps.scan.conclusion == 'success' || steps.scan.conclusion == 'failure' }}
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

  hadolint:
    name: Hadolint Dockerfile
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Lint Dockerfile
        uses: hadolint/hadolint-action@v3.1.0
        id: hadolint-report
        with:
          dockerfile: Dockerfile
          config: ${{ github.workspace }}/.hadolint.yaml
          output-file: hadolint.sarif
          format: sarif
          failure-threshold: ignore

      - name: Upload report
        uses: github/codeql-action/upload-sarif@v3
        if: ${{ steps.hadolint-report.conclusion == 'success' || steps.hadolint-report.conclusion == 'failure' }}
        with:
          sarif_file: hadolint.sarif