name: clippy

on:
  push:
    branches:
      - main
  pull_request:
  workflow_dispatch:

jobs:
  clippy:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: Swatinem/rust-cache@v2

      - name: enter shell
        run: |
          nix develop --accept-flake-config

      - name: fetch cargo deps
        run: cargo fetch --locked --target x86_64-unknown-linux-gnu

      - name: run clippy
        run: |
          cargo clippy --all --all-targets --message-format=json \
            | nix run --accept-flake-config github:getchoo/nix-exprs#clippy-sarif > /tmp/clippy.sarif

      - name: upload results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: /tmp/clippy.sarif