name: tflint

on:
  push:
    branches: [ main ]
    paths:
      - "terraform/**"
      - ".github/workflows/tflint.yaml"
  pull_request:
    paths:
      - "terraform/**"
      - ".github/workflows/tflint.yaml"
  workflow_dispatch:

jobs:
  scan:
    name: Scan

    runs-on: ubuntu-latest

    permissions:
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v16
        with:
          diagnostic-endpoint: ""

      - name: Build tflint report
        id: tflint-run
        run: |
          echo "sarif-file=$(nix build --no-link --print-build-logs --print-out-paths .#tflint)" >> "$GITHUB_OUTPUT"

      - name: Upload results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.tflint-run.outputs.sarif-file }}
          wait-for-processing: true