keycloak/.github/workflows/codeql-analysis.yml

name: CodeQL

on:
  push:
    branches-ignore:
      - main
      - dependabot/**
      - quarkus-next
  pull_request:
     branches: [main]
  workflow_dispatch:

env:
  MAVEN_ARGS: "-B -nsu -Daether.connector.http.connectionMaxTtl=25"

concurrency:
  # Only cancel jobs for PR updates
  group: codeql-analysis-${{ github.ref }}
  cancel-in-progress: true

defaults:
  run:
    shell: bash

permissions:
  contents: read

jobs:
  conditional:
    name: Check conditional workflows and jobs
    runs-on: ubuntu-latest
    outputs:
      java: ${{ steps.conditional.outputs.codeql-java }}
      javascript: ${{ steps.conditional.outputs.codeql-javascript }}
      typescript: ${{ steps.conditional.outputs.codeql-typescript }}
      actions: ${{ steps.conditional.outputs.codeql-actions }}
    permissions:
      contents: read
      pull-requests: read
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - id: conditional
        uses: ./.github/actions/conditional
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

  java:
    name: CodeQL Java
    needs: conditional
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # Required for SARIF upload
    if: needs.conditional.outputs.java == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
        with:
          languages: java

      - name: Build Keycloak
        uses: ./.github/actions/build-keycloak

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
        with:
          wait-for-processing: true
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'

  javascript:
    name: CodeQL JavaScript
    needs: conditional
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # Required for SARIF upload
    if: needs.conditional.outputs.javascript == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
        with:
          languages: javascript
          config-file: ./.github/codeql/codeql-config-javascript.yml

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
        with:
          wait-for-processing: true
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'

  typescript:
    name: CodeQL TypeScript
    needs: conditional
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # Required for SARIF upload
    if: needs.conditional.outputs.typescript == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
        with:
          languages: typescript
          config-file: ./.github/codeql/codeql-config-typescript.yml

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
        with:
          wait-for-processing: true
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'

  actions:
    name: CodeQL GitHub Actions
    needs: conditional
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # Required for SARIF upload
    if: needs.conditional.outputs.actions == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Initialize CodeQL
        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"finalize":["--no-run-unnecessary-builds"]}}'
        with:
          languages: actions

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
        with:
          wait-for-processing: true
        env:
          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"interpret-results":["--max-paths",0]}}'

  check:
    name: Status Check - CodeQL
    if: always()
    needs:
      - conditional
      - java
      - javascript
      - typescript
      - actions
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/status-check
        with:
          jobs: ${{ toJSON(needs) }}