name: CodeQL (daily)

on:
  schedule:
    # daily at 1:30 UTC
    - cron: "30 1 * * *"
  workflow_dispatch:

permissions:
  contents: read


jobs:
  analyze:
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Free disk space
        run: .github/scripts/gha-free-disk-space.sh

      - name: Set up Java 17
        uses: actions/setup-java@6a0805fcefea3d4657a47ac4c165951e33482018 # v4.2.2
        with:
          distribution: temurin
          java-version-file: .java-version

      - name: Initialize CodeQL
        uses: github/codeql-action/init@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
        with:
          languages: java
          # using "latest" helps to keep up with the latest Kotlin support
          # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
          tools: latest

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0

      - name: Build
        # skipping build cache is needed so that all modules will be analyzed
        run: ./gradlew assemble -x javadoc --no-build-cache --no-daemon

      - name: Perform CodeQL analysis
        uses: github/codeql-action/analyze@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2

  workflow-notification:
    needs:
      - analyze
    if: always()
    uses: ./.github/workflows/reusable-workflow-notification.yml
    with:
      success: ${{ needs.analyze.result == 'success' }}