static-analysis.yml

name: Static Analysis

on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main

env:
  GRADLE_OPTS: -Dorg.gradle.daemon=false

jobs:
  commit-lint:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout Repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0
      - name: Check Commit Messages
        uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
        with:
          configFile: .commitlintrc.yml
  code-base-checks:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout Repository
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
    - name: Check copyrights, license headers, and .gitattributes
      run: ./gradlew checkCopyrightsInNoticeFile checkLicenseHeaders checkGitAttributes
  completions:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout Repository
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Setup Java
      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
      with:
        distribution: temurin
        java-version: 21
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
    - name: Generate completions
      run: |
        ./scripts/generate_completion_scripts.sh
    - name: Check if completions are up-to-date
      run: |
        if git diff --exit-code; then
          echo "Completions are up-to-date."
        else
          echo "Completions are not up-to-date."
          echo "Please always run the script below when changing CLI commands:"
          echo "./scripts/generate_completion_scripts.sh"
          exit 1
        fi
  build-health:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout Repository
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
    - name: Check Build Health
      run: ./gradlew buildHealth checkSortDependencies
  detekt-issues:
    runs-on: ubuntu-24.04
    permissions:
      # Needed for SARIF scanning upload.
      security-events: write
    steps:
    - name: Checkout Repository
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
    - name: Check for Detekt Issues
      run: ./gradlew detekt
    - name: Check for Detekt Issues with type resolution
      run: ./gradlew detektMain detektTestFixtures detektTest detektFunTest
    - name: Upload SARIF File
      uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
      if: always() # Upload even if the previous step failed.
      with:
        sarif_file: build/reports/detekt/merged.sarif
  markdown-links:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout Repository
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Check Links
      uses: umbrelladocs/action-linkspector@036f295d12b67b0c4b445bc83db0538afb78db69 # v1.5.2
      with:
        fail_level: error
  markdownlint:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout Repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0
      - name: Setup Node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      - name: Check for Markdown issues
        run: |
          npm install -g markdownlint-rule-max-one-sentence-per-line@0.0.2
          npx markdownlint-cli2
  prettier-website:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout Repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24
          cache: npm
          cache-dependency-path: website/package-lock.json
      - name: Install dependencies
        run: npm ci
        working-directory: website
      - name: Run Prettier
        run: npm run format:check
        working-directory: website
  qodana-scan:
    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-24.04
    permissions:
      # Needed for SARIF scanning upload.
      security-events: write
    steps:
    - name: Checkout Repository
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      with:
        fetch-depth: 0
    - name: Qodana Scan
      uses: JetBrains/qodana-action@d7b5ec2fbec32197ef447c450e00589ed5f34fd5 # v2026.1.0
      with:
        post-pr-comment: false
        use-caches: false
    - name: Upload Code Scanning Results
      uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
      with:
        sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
  renovate-validation:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout Repository
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Validate Renovate Config
      run: npx -y --package renovate@latest -- renovate-config-validator renovate.json
  reuse-tool:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout Repository
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
    - name: Check REUSE Compliance
      uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6