# Security scanning with Microsoft C++ Code Analysis.
# Checks any master integration and publish warnings into security GitHub tab.
#
# Find more information at:
# https://github.com/microsoft/msvc-code-analysis-action

name: Microsoft C++ Code Analysis

on:
  push:
    branches:
      - 'master'

env:
  # Path to the CMake build directory.
  build: '${{ github.workspace }}/build'
  config: 'Debug'

permissions:
  contents: read

jobs:
  analyze:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    name: Analyze
    runs-on: windows-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4.1.7

      - name: Install dependencies
        run: |
            choco install cmake --installargs 'ADD_CMAKE_TO_PATH=System' -y
            choco install magicsplat-tcl-tk -y
          
      - name: Configure CMake
        run: |
          mkdir build
          cd build
          cmake -D USE_FREETYPE=OFF -DCMAKE_BUILD_TYPE=${{ env.config }} ..

      - name: Run MSVC Code Analysis
        uses: microsoft/msvc-code-analysis-action@v0.1.1
        # Provide a unique ID to access the sarif output path
        id: run-analysis
        with:
          cmakeBuildDirectory: ${{ env.build }}
          buildConfiguration: ${{ env.config }}
          # Ruleset file that will determine what checks will be run
          ruleset: NativeRecommendedRules.ruleset
          # Paths to ignore analysis of CMake targets and includes
          # ignoredPaths: ${{ github.workspace }}/dependencies;${{ github.workspace }}/test

      # Upload SARIF file to GitHub Code Scanning Alerts
      - name: Upload SARIF to GitHub
        uses: github/codeql-action/upload-sarif@v3.26.5
        with:
          sarif_file: ${{ steps.run-analysis.outputs.sarif }}