lint-codeql.yaml

name: CodeQL

on:
  pull_request:
    branches:
      - v1.14
      - ft/v1.14/**
  push:
    branches:
      - v1.14
      - ft/v1.14/**
  schedule:
    - cron: "45 6 * * 3"

permissions: read-all

jobs:
  check_changes:
    name: Deduce required tests from code changes
    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    outputs:
      go-changes: ${{ steps.go-changes.outputs.src }}
    steps:
      - name: Check code changes
        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        id: go-changes
        with:
          filters: |
            src:
              - .github/workflows/lint-codeql.yaml
              - '**/*.go'
              - 'go.mod'
              - 'go.sum'

  analyze:
    needs: check_changes
    if: ${{ needs.check_changes.outputs.go-changes == 'true' || github.event_name != 'pull_request' }}
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
    - name: Checkout repo
      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      with:
        persist-credentials: false
        fetch-depth: 1
    - name: Initialize CodeQL
      uses: github/codeql-action/init@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1
      with:
        languages: go
        debug: true
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@c7f9125735019aa87cfc361530512d50ea439c71 # v3.25.1