name: CodeQL (daily)

on:
  schedule:
    # daily at 1:30 UTC
    - cron: "30 1 * * *"
  workflow_dispatch:

permissions:
  contents: read


jobs:
  analyze:
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

      - name: Free disk space
        run: .github/scripts/gha-free-disk-space.sh

      - name: Set up Java 17
        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
        with:
          distribution: temurin
          java-version: 17.0.6

      - name: Initialize CodeQL
        uses: github/codeql-action/init@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2
        with:
          languages: java
          # using "latest" helps to keep up with the latest Kotlin support
          # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
          tools: latest

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2

      - name: Build
        # skipping build cache is needed so that all modules will be analyzed
        run: ./gradlew assemble -x javadoc --no-build-cache --no-daemon

      - name: Perform CodeQL analysis
        uses: github/codeql-action/analyze@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2

  workflow-notification:
    needs:
      - analyze
    if: always()
    uses: ./.github/workflows/reusable-workflow-notification.yml
    with:
      success: ${{ needs.analyze.result == 'success' }}