ci: make clippy it's own workflow again

1 files changed, 63 insertions, 0 deletions

diff --git a/.github/workflows/clippy.yaml b/.github/workflows/clippy.yaml
new file mode 100644
index 0000000..a37fde3
--- /dev/null
+++ b/.github/workflows/clippy.yaml
@@ -0,0 +1,63 @@
+name: Clippy
+
+on:
+  push:
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '**.rs'
+  pull_request:
+    paths:
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '**.rs'
+  workflow_dispatch:
+
+jobs:
+  clippy:
+    name: Run scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v10
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v4
+
+      - name: Setup Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install SARIF tools
+        run: |
+          nix profile install \
+            --inputs-from ./nix/dev \
+            github:getchoo/nix-exprs#{clippy-sarif,sarif-fmt}
+
+      - name: Fetch Cargo deps
+        run: |
+          nix develop ./nix/dev#ci --command \
+            cargo fetch --locked
+
+      - name: Run Clippy
+        continue-on-error: true
+        run: |
+          nix develop ./nix/dev#ci --command \
+            cargo clippy \
+            --all-features \
+            --all-targets \
+            --message-format=json \
+          | clippy-sarif | tee /tmp/clippy.sarif | sarif-fmt
+
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: /tmp/clippy.sarif
+          wait-for-processing: true