thumbor/thumbor-aws

name: "CodeQL"

on:
  push:
    branches: [ main ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
  schedule:
    - cron: '26 1 * * 6'

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'python' ]
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
    - name: APT Update
      run: sudo apt-get update -y
    - name: APT Install
      run: sudo apt-get install -y python3-dev libcurl4-openssl-dev libgnutls28-dev
        python3-all-dev make zlib1g-dev gcc libssl-dev build-essential
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql/codeql-config.yml
        setup-python-dependencies: false

    - name: Install Poetry
      uses: snok/install-poetry@v1
      with:
        virtualenvs-create: true
        virtualenvs-in-project: true
    - name: Load cached venv
      id: cached-poetry-dependencies
      uses: actions/cache@v4
      with:
        path: .venv
        key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}
    - name: Install dependencies
      if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
      run: poetry install --no-interaction --no-root
    - name: Install thumbor-aws
      run: poetry install --no-interaction

    - name: Set CodeQL python
      run: echo "CODEQL_PYTHON=$(which python)" >> $GITHUB_ENV
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3