.github/workflows/codeql-analysis.yml

name: CodeQL

on:
  push:
    branches-ignore:
      - main
      - dependabot/**
  pull_request:
     branches: [main]
  schedule:
    - cron: 0 9 * * 2

concurrency:
  # Only cancel jobs for PR updates
  group: codeql-analysis-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

defaults:
  run:
    shell: bash

jobs:

  conditional:
    name: Check conditional workflows and jobs
    if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
    runs-on: ubuntu-latest
    outputs:
      java: ${{ steps.conditional.outputs.codeql-java }}
      themes: ${{ steps.conditional.outputs.codeql-themes }}
    steps:
      - uses: actions/checkout@v3

      - id: conditional
        uses: ./.github/actions/conditional

  java:
    name: CodeQL Java
    needs: conditional
    runs-on: ubuntu-latest
    if: needs.conditional.outputs.java == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}

    steps:
      - uses: actions/checkout@v3

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2.20.4
        with:
          languages: java

      - name: Build Keycloak
        uses: ./.github/actions/build-keycloak

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2.20.4
        with:
          wait-for-processing: true
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'

      - id: check
        uses: ./.github/actions/checks-success

  themes:
    name: CodeQL Themes
    needs: conditional
    runs-on: ubuntu-latest
    if: needs.conditional.outputs.themes == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}

    steps:
      - uses: actions/checkout@v3

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2.20.4
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
        with:
          languages: javascript
          source-root: themes/src/main/

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2.20.4
        with:
          wait-for-processing: true
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'

      - id: check
        uses: ./.github/actions/checks-success

  check:
    name: Status Check - CodeQL
    if: always() && ( github.event_name != 'schedule' || github.repository == 'keycloak/keycloak' )
    needs: [conditional, java, themes]
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: CodeQL Java
        uses: ./.github/actions/checks-job-pass
        with:
          required: ${{ needs.conditional.outputs.java }}
          conclusion: ${{ needs.java.outputs.conclusion }}

      - name: CodeQL Themes
        uses: ./.github/actions/checks-job-pass
        with:
          required: ${{ needs.conditional.outputs.themes }}
          conclusion: ${{ needs.themes.outputs.conclusion }}