opentelemetry-java-instrumentation/.github/workflows/codeql.yml

name: CodeQL

on:
  pull_request:
    branches:
      - main
      - release/*
      - cloudfoundry
      - gh-pages
  push:
    branches:
      - main
      - release/*
      - cloudfoundry
      - gh-pages
  schedule:
    - cron: "29 13 * * 2"  # weekly at 13:29 UTC on Tuesday

permissions:
  contents: read

jobs:
  analyze:
    permissions:
      contents: read
      actions: read  # for github/codeql-action/init to get workflow details
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: oracle-8cpu-32gb-x86-64

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      # don't need to free disk space (which takes time) since running on larger machine

      - name: Set up JDK for running Gradle
        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
        with:
          distribution: temurin
          java-version-file: .java-version

      - name: Increase gradle daemon heap size
        run: |
          # increasing more than other workflows since this is running on a large runner
          # and so it uses more parallelism which uses more memory
          sed -i "s/org.gradle.jvmargs=/org.gradle.jvmargs=-Xmx8g /" gradle.properties          

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
        with:
          cache-read-only: ${{ github.event_name == 'pull_request' }}

      - name: Initialize CodeQL
        uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
        with:
          languages: java, actions
          # using "latest" helps to keep up with the latest Kotlin support
          # see https://github.com/github/codeql-action/issues/1555#issuecomment-1452228433
          tools: latest

      - name: Build
        # --no-build-cache is required for codeql to analyze all modules
        # --no-daemon is required for codeql to observe the compilation
        # (see https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis#specifying-build-commands)
        # quarkus tasks are disabled because they often cause the build to fail (see https://github.com/open-telemetry/opentelemetry-java-instrumentation/issues/13284)
        run: ./gradlew assemble -x javadoc -x :instrumentation:quarkus-resteasy-reactive:quarkus3-testing:quarkusGenerateCodeDev -x :instrumentation:quarkus-resteasy-reactive:quarkus2-testing:quarkusGenerateCodeDev --no-build-cache --no-daemon

      - name: Perform CodeQL analysis
        uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13