code-scanner.yml

name: "Code Scanner"

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

jobs:
  CodeQL-Build:
    runs-on: ubuntu-latest
    permissions:
      # required for all workflows
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      # If this run was triggered by a pull request event then checkout
      # the head of the pull request instead of the merge commit.
      # Only include this step if you are running this workflow on pull requests.
      - name: Checkout pull request head
        run: git checkout HEAD^2
        if: ${{ github.event_name == 'pull_request' }}
      - name: Set up JDK 11
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin'
          java-version: 11
          cache: gradle
      - name: Gradle Wrapper Validation
        uses: gradle/wrapper-validation-action@v1

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: java

      - name: Build
        run: |
          ./gradlew spotbugsDebug spotbugsRelease
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: sdk/build/reports/spotbugs/

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2