# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# This file is part of a Moko Consulting project.
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: Gitea.Workflow.Template
# INGROUP: MokoStandards.Security
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
# PATH: /templates/workflows/generic/codeql-analysis.yml.template
# VERSION: 04.06.00
# BRIEF: CodeQL security scanning workflow (generic — all repo types)
# NOTE: Deployed to .github/workflows/codeql-analysis.yml in governed repos.
#       CodeQL does not support PHP directly; JavaScript scans JSON/YAML/shell.
#       For PHP-specific security scanning see standards-compliance.yml.

name: CodeQL Security Scanning

on:
  push:
    branches:
      - main
      - dev/**
      - rc/**
      - version/**
  pull_request:
    branches:
      - main
      - dev/**
      - rc/**
  schedule:
    # Weekly on Monday at 06:00 UTC
    - cron: '0 6 * * 1'
  workflow_dispatch:

permissions:
  actions: read
  contents: read
  security-events: write
  pull-requests: read

jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    timeout-minutes: 360

    strategy:
      fail-fast: false
      matrix:
        # CodeQL does not support PHP. Use 'javascript' to scan JSON, YAML,
        # and shell scripts. Add 'actions' to scan GitHub Actions workflows.
        language: ['javascript', 'actions']

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          queries: security-extended,security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{ matrix.language }}"
          upload: true
          output: sarif-results
          wait-for-processing: true

      - name: Upload SARIF results
        if: always()
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.5.0
        with:
          name: codeql-results-${{ matrix.language }}
          path: sarif-results
          retention-days: 30

      - name: Step summary
        if: always()
        run: |
          echo "### 🔍 CodeQL — ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          URL="https://github.com/${{ github.repository }}/security/code-scanning"
          echo "See the [Security tab]($URL) for findings." >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Severity | SLA |" >> $GITHUB_STEP_SUMMARY
          echo "|----------|-----|" >> $GITHUB_STEP_SUMMARY
          echo "| Critical | 7 days |" >> $GITHUB_STEP_SUMMARY
          echo "| High     | 14 days |" >> $GITHUB_STEP_SUMMARY
          echo "| Medium   | 30 days |" >> $GITHUB_STEP_SUMMARY
          echo "| Low      | 60 days / next release |" >> $GITHUB_STEP_SUMMARY

  summary:
    name: Security Scan Summary
    runs-on: ubuntu-latest
    needs: analyze
    if: always()

    steps:
      - name: Summary
        run: |
          echo "### 🛡️ CodeQL Complete" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
          echo "**Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
          SECURITY_URL="https://github.com/${{ github.repository }}/security"
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "📊 [View all security alerts]($SECURITY_URL)" >> $GITHUB_STEP_SUMMARY