PSRule.Monitor/.github/workflows/analyze.yaml

#
# Repository analysis
#

# NOTES:
# This workflow uses PSRule, CodeQL, and DevSkim.
# You can read more about these linting tools and configuration options here:
#   PSRule - https://aka.ms/ps-rule and https://github.com/Microsoft/PSRule.Rules.MSFT.OSS
#   CodeQL - https://codeql.github.com/docs/codeql-overview/about-codeql/
#   DevSkim - https://github.com/microsoft/DevSkim-Action and https://github.com/Microsoft/DevSkim

name: Analyze
on:
  push:
    branches: [main, 'release/*']
  pull_request:
    branches: [main, 'release/*']
  schedule:
    - cron: '24 22 * * 0' # At 10:24 PM, on Sunday each week
  workflow_dispatch:

env:
  DOTNET_NOLOGO: true
  DOTNET_CLI_TELEMETRY_OPTOUT: true

permissions: {}

jobs:
  oss:
    name: Analyze with PSRule
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run PSRule analysis
        uses: microsoft/ps-rule@v2.9.0
        with:
          modules: PSRule.Rules.MSFT.OSS
          prerelease: true
          outputFormat: Sarif
          outputPath: reports/ps-rule-results.sarif

      - name: Upload results to security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: reports/ps-rule-results.sarif

      - name: Upload results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: PSRule-Sarif
          path: reports/ps-rule-results.sarif
          retention-days: 1
          if-no-files-found: error

  devskim:
    name: Analyze with DevSkim
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run DevSkim scanner
        uses: microsoft/DevSkim-Action@v1
        with:
          directory-to-scan: .

      - name: Upload results to security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: devskim-results.sarif

      - name: Upload results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: DevSkim-Sarif
          path: devskim-results.sarif
          retention-days: 1
          if-no-files-found: error

  codeql:
    name: Analyze with CodeQL
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: 'csharp'

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        id: codeql-analyze

      - name: Upload results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: CodeQL-Sarif
          path: ${{ steps.codeql-analyze.outputs.sarif-output }}
          retention-days: 1
          if-no-files-found: error