name: "Clippy"

on:
  push:
    branches: [ "main" ]
    paths:
      - "**.rs"
      - "**.lock"
      - "Cargo.toml"
      - "flake.nix"

      - ".github/workflows/clippy.yaml"
  pull_request:
    paths:
      - "**.rs"
      - "**.lock"
      - "Cargo.toml"
      - "flake.nix"

      - ".github/workflows/clippy.yaml"
  workflow_dispatch:

jobs:
  clippy:
    name: "Run scan"

    runs-on: "ubuntu-latest"

    permissions:
      contents: "read"
      security-events: "write"

    steps:
      - name: "Checkout repository"
        uses: "actions/checkout@v4"

      - name: "Install Nix"
        uses: "cachix/install-nix-action@v31"

      - name: "Run Clippy"
        id: "clippy-run"
        run: |
          nix build --print-build-logs .#checks.x86_64-linux.clippy-sarif
          [ -L result ] || exit 1
          echo "sarif-file=$(readlink -f result)" >> "$GITHUB_OUTPUT"

      - name: "Upload results"
        uses: "github/codeql-action/upload-sarif@v3"
        with:
          sarif_file: ${{ steps.clippy-run.outputs.sarif-file }}
          wait-for-processing: true