name: CodeQL

on:
  push:
    branches:
      - main
    paths-ignore:
      - "apply-report.json"
      - "repair-apply-report.json"
      - "jobs/**"
      - "records/**"
      - "results/**"
  pull_request:
  schedule:
    - cron: "41 2 * * 1"
  workflow_dispatch:

permissions:
  actions: read
  contents: read
  security-events: write

concurrency:
  group: codeql-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    timeout-minutes: 20
    strategy:
      fail-fast: false
      matrix:
        language:
          - actions
          - javascript-typescript
    steps:
      - uses: actions/checkout@v6
        with:
          sparse-checkout: |
            .github
            scripts
            src
            package.json
            pnpm-lock.yaml
            tsconfig.json
            tsconfig.repair.json
          sparse-checkout-cone-mode: false

      - uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
          build-mode: none

      - uses: github/codeql-action/analyze@v4
        with:
          category: "/language:${{ matrix.language }}"