codeql-action/.github/workflows/codeql.yml

name: "CodeQL action"

on:
  push:
    branches: [main, releases/v*]
  pull_request:
    branches: [main, releases/v*]
    # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
    # by other workflows.
    types: [opened, synchronize, reopened, ready_for_review]
  schedule:
    # Weekly on Sunday.
    - cron: '30 1 * * 0'
  workflow_dispatch:

env:
  CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks

jobs:
  # Identify the CodeQL tool versions to use in the analysis job.
  check-codeql-versions:
    runs-on: ubuntu-latest
    outputs:
      versions: ${{ steps.compare.outputs.versions }}

    permissions:
      contents: read

    steps:
    - uses: actions/checkout@v5
    - name: Init with default CodeQL bundle from the VM image
      id: init-default
      uses: ./init
      with:
        languages: javascript
    - name: Remove empty database
      # allows us to run init a second time
      run: |
        rm -rf "$RUNNER_TEMP/codeql_databases"
    - name: Init with latest CodeQL bundle
      id: init-latest
      uses: ./init
      with:
        tools: linked
        languages: javascript
    - name: Compare default and latest CodeQL bundle versions
      id: compare
      env:
        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
      run: |
        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"

        # If we're running on a pull request, run with both bundles, even if `tools: linked` would
        # be the same as `tools: null`. This allows us to make the job for each of the bundles a
        # required status check.
        #
        # If we're running on push or schedule, then we can skip running with `tools: linked` when it would be
        # the same as running with `tools: null`.
        if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
          VERSIONS_JSON='[null]'
        else
          VERSIONS_JSON='[null, "linked"]'
        fi

        # Output a JSON-encoded list with the distinct versions to test against.
        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
        echo "versions=${VERSIONS_JSON}" >> $GITHUB_OUTPUT

  analyze-javascript:
    needs: [check-codeql-versions]
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-22.04,ubuntu-24.04,windows-2022,windows-2025,macos-13,macos-14,macos-15]
        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
    runs-on: ${{ matrix.os }}

    permissions:
      contents: read
      security-events: write

    steps:
    - name: Checkout
      uses: actions/checkout@v5
    - name: Initialize CodeQL
      uses: ./init
      id: init
      with:
        languages: javascript
        config-file: ./.github/codeql/codeql-config.yml
        tools: ${{ matrix.tools }}
    # confirm steps.init.outputs.codeql-path points to the codeql binary
    - name: Print CodeQL Version
      run: ${{steps.init.outputs.codeql-path}} version --format=json
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
        category: "/language:javascript"


  analyze-actions:
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false

    permissions:
      contents: read
      security-events: write

    steps:
    - name: Checkout
      uses: actions/checkout@v5
    - name: Initialize CodeQL
      uses: ./init
      with:
        languages: actions
        config-file: ./.github/codeql/codeql-actions-config.yml
    - name: Perform CodeQL Analysis
      uses: ./analyze
      with:
        category: "/language:actions"