name: "CodeQL"

on:
    push:
        branches: [master]
    pull_request:
        # The branches below must be a subset of the branches above
        branches: [master]
    schedule:
        - cron: '0 22 * * 5'

jobs:
    CodeQL-Build:

        permissions:
            contents: read # to fetch code (actions/checkout)
            security-events: write # to upload SARIF results (github/codeql-action/analyze)

        strategy:
          fail-fast: false
          matrix:
            include:
               - language: python
                 os: ubuntu-latest
               - language: c
                 os: ubuntu-latest
               - language: c
                 os: macos-latest
               - language: go
                 os: ubuntu-latest
               - language: actions
                 os: ubuntu-latest

        runs-on: ${{ matrix.os }}
        env:
            KITTY_BUNDLE: 1
            KITTY_CODEQL: 1

        steps:

        - name: Checkout repository
          uses: actions/checkout@v5
          with:
              # We must fetch at least the immediate parents so that if this is
              # a pull request then we can checkout the head.
              fetch-depth: 2

        - name: Install Go
          if: matrix.language == 'c' || matrix.language == 'go'
          uses: actions/setup-go@v6
          with:
              go-version-file: go.mod

        # Initializes the CodeQL tools for scanning.
        - name: Initialize CodeQL
          uses: github/codeql-action/init@v3
          with:
              languages: ${{ matrix.language }}
              trap-caching: false

        - name: Build kitty
          if: matrix.language == 'c' || matrix.language == 'go'
          run: python3 .github/workflows/ci.py build

        - name: Perform CodeQL Analysis
          uses: github/codeql-action/analyze@v3

        - name: Run govulncheck
          if: matrix.language == 'go'
          run: python3 .github/workflows/ci.py govulncheck