name: CI - Run CodeQL Analysis
on:
  push:
    branches: [main]
    paths-ignore:
      - 'docs/**'
  pull_request:
    branches: [main]
    paths-ignore:
      - 'docs/**'

permissions:
  contents: read

jobs:
  analyse:
    permissions:
      # for github/codeql-action/init to get workflow details
      actions: read
      # for actions/checkout to fetch code
      contents: read
      # for github/codeql-action/analyze to upload SARIF results
      security-events: write
    name: Analyse
    runs-on: ubuntu-20.04
    if: ${{ github.actor != 'renovate[bot]' && github.actor != 'camperbot' }}
    strategy:
      fail-fast: false
      matrix:
        language: ['javascript']
    steps:
      - name: Checkout repository
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
      - name: Setup CodeQL
        uses: github/codeql-action/init@2eeff7bf99c8a7519cedc062526ad4b79863e309 # tag=v1
        with:
          languages: ${{ matrix.language }}
      - name: Perform Analysis
        uses: github/codeql-action/analyze@2eeff7bf99c8a7519cedc062526ad4b79863e309 # tag=v1