name: Run QL for QL

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  CARGO_TERM_COLOR: always

permissions:
  contents: read
  security-events: write

jobs:
  analyze:
    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
    steps:
      ### Build the queries ###
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Find codeql
        id: find-codeql
        uses: github/codeql-action/init@main
        with:
          languages: javascript # does not matter
      - uses: ./.github/actions/os-version
        id: os_version
      ### Build the extractor ###
      - name: Cache entire extractor
        id: cache-extractor
        uses: actions/cache@v3
        with:
          path: |
            ql/extractor-pack/
            ql/target/release/buramu
          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ql/**/*.rs') }}
      - name: Cache cargo
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        uses: actions/cache@v3
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            ql/target
          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }}
      - name: Release build
        if: steps.cache-extractor.outputs.cache-hit != 'true'
        run: cd ql; ./scripts/create-extractor-pack.sh
        env:
          GH_TOKEN: ${{ github.token }}
      - name: Cache compilation cache
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
        with:
          key: run-ql-for-ql
      - name: Make database and analyze
        run: |
          ./ql/target/release/buramu | tee deprecated.blame # Add a blame file for the extractor to parse.
          ${CODEQL} database create -l=ql ${DB} --search-path "${{ github.workspace }}"
          ${CODEQL} database analyze -j0 --format=sarif-latest --output=ql-for-ql.sarif ${DB} ql/ql/src/codeql-suites/ql-code-scanning.qls  --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
        env:
          CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
          DB: ${{ runner.temp }}/DB
          LGTM_INDEX_FILTERS: |
            exclude:ql/ql/test
            exclude:*/ql/lib/upgrades/
            exclude:java/ql/integration-tests
      - name: Upload sarif to code-scanning
        uses: github/codeql-action/upload-sarif@main
        with:
          sarif_file: ql-for-ql.sarif
          category: ql-for-ql
      - name: Sarif as artifact
        uses: actions/upload-artifact@v4
        with:
          name: ql-for-ql.sarif
          path: ql-for-ql.sarif
      - name: Split out the sarif file into langs
        run: |
          mkdir split-sarif
          node ./ql/scripts/split-sarif.js ql-for-ql.sarif split-sarif
      - name: Upload langs as artifacts
        uses: actions/upload-artifact@v4
        with:
          name: ql-for-ql-langs
          path: split-sarif
          retention-days: 1