codeql-analysis-steps.yml

name: codeql-analysis-steps

on:
  workflow_call:

permissions: {}

jobs:
  analyze:
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: windows-latest

    strategy:
      fail-fast: false
      matrix:
        language: ['actions', 'csharp']

    steps:
      - name: Configure Pagefile
        if: matrix.language == 'csharp'
        uses: al-cheb/configure-pagefile-action@9b6da52fb72a3c6147c1aad2df22d8d905681adc # v1.5
        with:
          minimum-size: 8GB
          maximum-size: 32GB
          disk-root: "D:"

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          filter: 'tree:0'
          persist-credentials: false
          show-progress: false

      - name: Initialize CodeQL
        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          build-mode: none
          languages: ${{ matrix.language }}

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          category: '/language:${{ matrix.language }}'

  results:
    if: ${{ !cancelled() }}
    needs: [ analyze ]
    runs-on: ubuntu-latest

    steps:
      - name: Report status
        shell: bash
        env:
          SCAN_SUCCESS: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
        run: |
          if [ "${SCAN_SUCCESS}" == "true" ]
          then
            echo 'CodeQL analysis successful'
          else
            echo 'CodeQL analysis failed'
            exit 1
          fi