name: CodeQL (daily)

on:
  schedule:
    # daily at 1:30 UTC
    - cron: "30 1 * * *"
  workflow_dispatch:

permissions:
  contents: read


jobs:
  analyze:
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

      - name: Free disk space
        run: .github/scripts/gha-free-disk-space.sh

      - name: Set up Java 17
        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
        with:
          distribution: temurin
          java-version: 17.0.6

      - name: Initialize CodeQL
        uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
        with:
          languages: java
          # using "latest" helps to keep up with the latest Kotlin support
          # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
          tools: latest

      - uses: gradle/actions/setup-gradle@6cec5d49d4d6d4bb982fbed7047db31ea6d38f11 # v3.3.0
        with:
          # skipping build cache is needed so that all modules will be analyzed
          arguments: assemble -x javadoc --no-build-cache --no-daemon

      - name: Perform CodeQL analysis
        uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10

  workflow-notification:
    needs:
      - analyze
    if: always()
    uses: ./.github/workflows/reusable-workflow-notification.yml
    with:
      success: ${{ needs.analyze.result == 'success' }}