.github/workflows/codeql.yml

name: "CodeQL"

on:
  workflow_dispatch: # Allow manually triggered workflow run
  schedule:
    # At 05:30 on every day-of-week from Monday through Friday.
    - cron: "30 5 * * 1-5"

jobs:
  analyze-java:
    name: Analyze Java (Kotlin)
    runs-on:
      labels: ubuntu-latest-8-cores
    timeout-minutes: 360
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: java
          queries: security-and-quality

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 21

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v3

      - name: Assemble
        run: ./gradlew assemble -Dorg.gradle.jvmargs="-Dkotlin.daemon.jvmargs=-Xmx16g" --configuration-cache
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          upload: false # disable the upload here - we will upload in a different action
          output: sarif-results

      - name: filter-sarif
        uses: advanced-security/filter-sarif@v1
        with:
          patterns: |
            -**/*test*.kt
            -**/generated-main-avro-java/**
          input: sarif-results/java.sarif
          output: sarif-results/java.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarif-results/java.sarif
          category: "/language:java"

  analyze-javascript:
    name: Analyze Javascript (Typescript)
    runs-on:
      labels: ubuntu-latest-8-cores
    timeout-minutes: 360
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript
          queries: security-and-quality

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          upload: false # disable the upload here - we will upload in a different action
          output: sarif-results

      - name: filter-sarif
        uses: advanced-security/filter-sarif@v1
        with:
          patterns: |
            -**/*test*.kt
          input: sarif-results/javascript.sarif
          output: sarif-results/javascript.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarif-results/javascript.sarif
          category: "/language:javascript"