lint.yml

name: Lint

on:
  workflow_dispatch:
  push:
    branches:
      - main
    tags:
      - '*'
      - '!*-test'
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
    branches:
      - 'main'
      - 'release/**'

jobs:
  spotless:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    steps:
    - uses: actions/checkout@v6

    - name: Set up JDK
      uses: actions/setup-java@v5
      with:
        distribution: 'temurin'
        java-version: '23'

    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@v5
      with:
        gradle-version: '8.14'
        cache-disabled: true

    - name: Check with Spotless
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: ./gradlew spotlessCheck

  detekt:
    runs-on: ubuntu-latest
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    outputs:
      categories: ${{ steps.report-list.outputs.categories }}

    steps:
      - uses: actions/checkout@v6

      - name: Set up JDK
        uses: actions/setup-java@v5
        with:
          distribution: 'temurin'
          java-version: '23'

      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v5
        with:
          gradle-version: '8.14'
          cache-disabled: true

      - name: Check with Detekt
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: ./gradlew detekt

      - name: Save reports as artifacts
        uses: actions/upload-artifact@v5
        if: ${{ always() }}
        with:
          name: sarif-reports
          path: 'build/reports/detekt/sarif/*.sarif'

      - name: Compute report list
        id: report-list
        if: ${{ always() }}
        working-directory: build/reports/detekt/sarif
        run: |
          values=$(ls --width 0 --format commas | sed 's/cosmotech-/"/g' | sed 's/-detekt.sarif/"/g')
          echo "categories=[$values]" >> "$GITHUB_OUTPUT"

  detekt-upload-sarif:
    runs-on: ubuntu-latest
    needs: detekt
    strategy:
      fail-fast: false
      matrix:
        category: ${{ fromJSON(needs.detekt.outputs.categories) }}

    steps:
      - name: Retrieve reports
        uses: actions/download-artifact@v6
        with:
          name: sarif-reports
          path: sarif

      - name: Upload SARIF reports to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'sarif/cosmotech-${{ matrix.category }}-detekt.sarif'
          category: ${{ matrix.category }}