joshuar-go-hass-agent/.github/workflows/analysis.yml

name: "Analysis"

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: '38 13 * * 4'

permissions:
  contents: read

env:
  MAGEARGS: -d build/magefiles -w .
  TARGETPLATFORM: linux/amd64

jobs:
  codeql:
    name: Analyze Go
    runs-on: 'ubuntu-22.04'
    permissions:
      security-events: write
      packages: read
      actions: read
    strategy:
      fail-fast: false
      matrix:
        include:
        - language: go
          build-mode: manual
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v1
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      with:
        fetch-depth: 0
    - name: Setup Go
      id: setup_go
      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
      with:
        go-version-file: 'go.mod'
    - name: Install Mage
      uses: magefile/mage-action@6a5dcb5fe61f43d7c08a98bc3cf9bc63c308c08e # v3
      with:
        install-only: true
    - name: Install build deps
      run: mage ${MAGEARGS} preps:deps
    - name: Initialize CodeQL
      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
      with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
        packs: githubsecuritylab/codeql-${{ matrix.language }}-queries
    - if: matrix.build-mode == 'manual'
      name: Build
      run: go build
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
      with:
        category: "/language:${{matrix.language}}"

  nilaway:
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v1
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
    - name: Checkout repository
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      with:
        fetch-depth: 0
    - name: Nil panic checks
      uses: qbaware/nilaway-action@8e71d29f098051670655958e754d21ebb7197416 # v0.0.9
      with:
        package-to-scan: ./...