.github/workflows/codeql.yml

name: "CodeQL"
permissions: {}

on:
  push:
    branches: ["master", "develop", "sf-live", "sf-qa"]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: ["master", "develop"]
  schedule:
    - cron: "34 18 * * 2"

jobs:
  analyze-javascript:
    name: Analyze JavaScript
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript
          config-file: ./.github/codeql/codeql-javascript-config.yml
          dependency-caching: true

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

  analyze-csharp:
    name: Analyze C#
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      matrix:
        dotnet_version: ["8.0.x"]
        node_version: ["22.13.0"]
        npm_version: ["10.9.2"]

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: "Deps: .NET"
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{matrix.dotnet_version}}
          cache: true
          cache-dependency-path: src/SIL.XForge.Scripture/packages.lock.json

      - name: Use Node.js ${{ matrix.node_version }}
        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node_version }}
          cache: "npm"
          cache-dependency-path: |
            src/SIL.XForge.Scripture/ClientApp/package-lock.json
            src/RealtimeServer/package-lock.json

      - name: Upgrade npm
        run: npm install -g npm@${{matrix.npm_version}}

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: csharp
          queries: security-and-quality
          dependency-caching: true

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          upload: False
          output: sarif-results

      - name: filter-sarif
        uses: advanced-security/filter-sarif@v1
        with:
          patterns: |
            -**/*Tests.cs:cs/hardcoded-credentials
          input: sarif-results/csharp.sarif
          output: sarif-results/csharp.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarif-results/csharp.sarif

  analyze-python:
    name: Analyze Python
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: python
          queries: security-and-quality
          dependency-caching: true

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3