name: Clippy

on:
  push:
    paths:
      - 'Cargo.toml'
      - 'Cargo.lock'
      - '**.rs'
  pull_request:
    paths:
      - 'Cargo.toml'
      - 'Cargo.lock'
      - '**.rs'
  workflow_dispatch:

jobs:
  clippy:
    name: Run scan

    runs-on: ubuntu-latest

    permissions:
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v11

      - name: Setup Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@v6

      - name: Setup Rust cache
        uses: Swatinem/rust-cache@v2

      - name: Install SARIF tools
        run: |
          nix profile install \
            --inputs-from . \
            github:getchoo/nix-exprs#{clippy-sarif,sarif-fmt}

      - name: Fetch Cargo deps
        run: |
          nix develop .#ci --command \
            cargo fetch --locked

      - name: Run Clippy
        continue-on-error: true
        run: |
          nix develop .#ci --command \
            cargo clippy \
            --all-features \
            --all-targets \
            --message-format=json \
          | clippy-sarif | tee /tmp/clippy.sarif | sarif-fmt

      - name: Upload results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: /tmp/clippy.sarif
          wait-for-processing: true