# Checks logs, SARIF, and database bundle debug artifacts exist
# when the analyze step fails.
name: PR Check - Debug artifacts after failure
env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
on:
  push:
    branches:
    - main
    - releases/v*
  pull_request:
    types:
    - opened
    - synchronize
    - reopened
    - ready_for_review
  schedule:
    - cron: '0 5 * * *'
  workflow_dispatch: {}

defaults:
  run:
    shell: bash

jobs:
  upload-artifacts:
    if: github.triggering_actor != 'dependabot[bot]'
    strategy:
      fail-fast: false
      matrix:
        version:
        - stable-v2.20.3
        - default
        - linked
        - nightly-latest
    name: Upload debug artifacts after failure in analyze
    continue-on-error: true
    env:
      CODEQL_ACTION_TEST_MODE: true
    permissions:
      contents: read
    timeout-minutes: 45
    runs-on: ubuntu-latest
    steps:
      - name: Dump GitHub event
        run: cat "${GITHUB_EVENT_PATH}"
      - name: Check out repository
        uses: actions/checkout@v6
      - name: Prepare test
        id: prepare-test
        uses: ./.github/actions/prepare-test
        with:
          version: ${{ matrix.version }}
      - uses: actions/setup-go@v6
        with:
          go-version: ^1.13.1
      - name: Install .NET
        uses: actions/setup-dotnet@v5
        with:
          dotnet-version: '9.x'
      - name: Assert best-effort artifact scan completed
        uses: ./../action/.github/actions/verify-debug-artifact-scan-completed
      - uses: ./../action/init
        with:
          tools: ${{ steps.prepare-test.outputs.tools-url }}
          debug: true
          debug-artifact-name: my-debug-artifacts
          debug-database-name: my-db
      - name: Build code
        run: ./build.sh
      - uses: ./../action/analyze
        id: analysis
        env:
          # Forces a failure in this step.
          CODEQL_ACTION_EXTRA_OPTIONS: '{ "database": { "finalize": ["--invalid-option"] } }'
        with:
          expect-error: true
  download-and-check-artifacts:
    name: Download and check debug artifacts after failure in analyze
    if: github.triggering_actor != 'dependabot[bot]'
    needs: upload-artifacts
    timeout-minutes: 45
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Download all artifacts
        uses: actions/download-artifact@v7
      - name: Check expected artifacts exist
        run: |
          LANGUAGES="cpp csharp go java javascript python"
          for version in $VERSIONS; do
            echo "Artifacts from version $version:"
            pushd "./my-debug-artifacts-${version//./}"
            for language in $LANGUAGES; do
              echo "- Checking $language"
              if [[ ! -f "my-db-$language-partial.zip" ]] ; then
                echo "Missing a partial database bundle for $language"
                exit 1
              fi
              if [[ ! -d "log" ]] ; then
                echo "Missing database initialization logs"
                exit 1
              fi
              if [[ ! "$language" == "go" ]] && [[ ! -d "$language/log" ]] ; then
                echo "Missing logs for $language"
                exit 1
              fi
            done
            popd
          done
        env:
          GO111MODULE: auto