name: Clippy

on:
  push:
    paths:
      - '**.rs'
      - '.github/workflows/clippy.yaml'
      - 'Cargo.lock'
      - 'Cargo.toml'
    branches: [main]
  pull_request:
    paths:
      - '**.rs'
      - '.github/workflows/clippy.yaml'
      - 'Cargo.lock'
      - 'Cargo.toml'
  workflow_dispatch:

jobs:
  clippy:
    name: Run scan

    runs-on: ubuntu-latest

    permissions:
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v13

      - name: Setup Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@v8

      - name: Run Clippy
        id: clippy-run
        run: |
          nix build --print-build-logs .#checks.x86_64-linux.clippy-sarif
          [ -L result ] || exit 1
          echo "sarif-file=$(readlink -f result)" >> "$GITHUB_OUTPUT"

      - name: Upload results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.clippy-run.outputs.sarif-file }}
          wait-for-processing: true