name: ESLint

on:
  push:
    branches: [main]
    paths:
      - "**.ts"
      - "**.astro"
      - "package.json"
      - "pnpm-lock.yaml"

      - "astro.config.ts"
      - "eslint.config.js"
      - "tsconfig.json"

      - "flake.nix"
      - "flake.lock"

      - ".github/workflows/eslint.yaml"
  pull_request:
    paths:
      - "**.ts"
      - "**.astro"
      - "package.json"
      - "pnpm-lock.yaml"

      - "astro.config.ts"
      - "eslint.config.js"
      - "tsconfig.json"

      - "flake.nix"
      - "flake.lock"

      - ".github/workflows/eslint.yaml"

jobs:
  eslint:
    name: Run scan

    runs-on: ubuntu-latest

    permissions:
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Nix
        uses: cachix/install-nix-action@v31
        with:
          nix_path: nixpkgs=channel:nixos-unstable

      - name: Install Dependencies
        run: |
          nix-shell ci-shell.nix --command 'pnpm install --frozen-lockfile'

      - name: Run ESLint
        continue-on-error: true
        run: |
          nix-shell ci-shell.nix --command \
            'nrr lint \
            --format @microsoft/eslint-formatter-sarif \
            --output-file /tmp/results.sarif'

      - name: Upload Results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: /tmp/results.sarif
          wait-for-processing: true