codeql.yml

name: CodeQL

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
  schedule:
    - cron: '37 5 * * 1'

permissions:
  actions: read
  contents: read
  security-events: write

jobs:
  analyze:
    name: Analyze Java/Kotlin
    # Private repositories require GitHub Code Security before CodeQL can upload SARIF.
    # Keep public repos scanning by default, and allow private repos to opt in once
    # repository-side code scanning is enabled.
    if: ${{ !github.event.repository.private || vars.ENABLE_PRIVATE_CODEQL == 'true' }}
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v5
        with:
          submodules: recursive

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: java-kotlin
          build-mode: manual

      - name: Set up JDK 17
        uses: actions/setup-java@v5
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: gradle

      - name: Set up Android SDK
        uses: android-actions/setup-android@v4

      - name: Install NDK
        run: sdkmanager "ndk;27.0.12077973"

      - name: Build for CodeQL
        run: ./gradlew --no-build-cache --no-configuration-cache --rerun-tasks -PnovaAbis=x86_64 assembleNonRoot_gameDebug

      - name: Analyze
        uses: github/codeql-action/analyze@v4