name: "CodeQL action"

on:
  push:
    branches: [main, releases/v1, releases/v2]
  pull_request:
    branches: [main, releases/v1, releases/v2]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]

jobs:
  # Identify the CodeQL tool versions to use in the analysis job.
  check-codeql-versions:
    runs-on: ubuntu-latest
    outputs:
      versions: ${{ steps.compare.outputs.versions }}

    permissions:
      security-events: write

    steps:
    - uses: actions/checkout@v3
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
      with:
        languages: javascript
    - name: Remove empty database
      # allows us to run init a second time
      run: |
        rm -rf "$RUNNER_TEMP/codeql_databases"
    - name: Init with latest CodeQL bundle
      id: init-latest
      uses: ./init
      with:
        tools: latest
        languages: javascript
    - name: Compare default and latest CodeQL bundle versions
      id: compare
      env:
        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"

        # If we're running on a pull request, run with both bundles, even if `tools: latest` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
        # required status check.
        #
        # If we're running on push, then we can skip running with `tools: latest` when it would be
        # the same as running with `tools: null`.
        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "latest"]'
        fi

        # Output a JSON-encoded list with the distinct versions to test against.
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
        echo "::set-output name=versions::${VERSIONS_JSON}"

  build:
    needs: [check-codeql-versions]
    strategy:
      matrix:
        os: [ubuntu-latest,windows-latest,macos-latest]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    permissions:
      security-events: write

    steps:
    - uses: actions/checkout@v3
    - uses: ./init
      id: init
      with:
        languages: javascript
        config-file: ./.github/codeql/codeql-config.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
      run: ${{steps.init.outputs.codeql-path}} version --format=json
    - uses: ./analyze