name: "CodeQL"

on:
    push:
        branches: [master]
    pull_request:
        # The branches below must be a subset of the branches above
        branches: [master]
    schedule:
        - cron: '42 8 * * 3'

permissions:
    contents: read # to fetch code (actions/checkout)

jobs:
    CodeQL-Build:

        permissions:
            contents: read # to fetch code (actions/checkout)
            security-events: write # to upload SARIF results (github/codeql-action/analyze)

        strategy:
          fail-fast: false
          matrix:
            include:
               - language: python
                 os: ubuntu-latest
               - language: c
                 os: ubuntu-latest
               - language: c
                 os: windows-latest
               - language: actions
                 os: ubuntu-latest

        runs-on: ${{ matrix.os }}

        steps:

        - name: Checkout repository
          uses: actions/checkout@v5
          with:
              # We must fetch at least the immediate parents so that if this is
              # a pull request then we can checkout the head.
              fetch-depth: 2
              persist-credentials: false

        # Initializes the CodeQL tools for scanning.
        - name: Initialize CodeQL
          uses: github/codeql-action/init@v4
          with:
              languages: ${{ matrix.language }}
              trap-caching: false

        - name: Install calibre dependencies
          if: matrix.language == 'c'
          run:
              python setup/unix-ci.py install

        - name: Bootstrap calibre
          if: matrix.language == 'c'
          run:
              python setup/unix-ci.py bootstrap

        - name: Perform CodeQL Analysis
          uses: github/codeql-action/analyze@v4