name: tflint

on:
  push:
    branches: [ main ]
  pull_request:
  workflow_dispatch:

jobs:
  scan:
    name: Scan

    runs-on: ubuntu-latest

    permissions:
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Nix
        uses: cachix/install-nix-action@v31

      - name: Build tflint report
        id: tflint-run
        run: |
          echo "sarif-file=$(nix build --no-link --print-build-logs --print-out-paths .#tflint)" >> "$GITHUB_OUTPUT"

      - name: Upload results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.tflint-run.outputs.sarif-file }}
          wait-for-processing: true