name: CodeQL analysis

# **What it does**: This runs CodeQL on our repository.
# **Why we have it**: Security scanning.
# **Who does it impact**: Docs engineering.

on:
  pull_request:
    branches:
      - main
    paths:
      - '**/*.ts'
      - '**/*.tsx'
      - '.github/workflows/codeql.yml'
  # This is so that when CodeQL runs on a pull request, it can compare
  # against the state of the base branch.
  push:
    branches:
      - main

permissions:
  actions: read
  contents: read
  security-events: write

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
  cancel-in-progress: true

jobs:
  build:
    if: github.repository == 'github/docs-internal' || github.repository == 'github/docs'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
        with:
          languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp, ruby}
      - uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
        continue-on-error: true

      - uses: ./.github/actions/slack-alert
        if: ${{ failure() && github.event_name != 'pull_request' }}
        with:
          slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }}
          slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}