# Copyright (c) Microsoft Corporation
# SPDX-License-Identifier: MIT

# This workflow executes the OSSAR action.

name: ossar-scan

on:
  workflow_call:
    inputs:
      # The name of the build artifact to download.
      build_artifact:
        required: true
        type: string

permissions:
  checks: read  # Required by fountainhead/action-wait-for-check to wait for another GitHub check to complete.
  contents: read  # Required by actions/checkout to fetch code.
  security-events: write # Required by codeql task

jobs:
  scan:
    timeout-minutes: 30

    strategy:
      matrix:
        # For now only run on release as debug builds of the MSVC are built without /Qspectre.
        configurations: [Release]

    # github/ossar-action doesn't run on windows-2019, requires windows-latest.
    runs-on: windows-latest
    env:
      # Configuration type to build.
      BUILD_CONFIGURATION: ${{matrix.configurations}}
      BUILD_PLATFORM: x64

    steps:
    - id: skip_check
      uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0
      with:
        cancel_others: 'false'
        paths_ignore: '["**.md", "**/docs/**"]'

    # Checking out the branch is needed to correctly log security alerts.
    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
      if: steps.skip_check.outputs.should_skip != 'true'
      with:
        # Only check out main repo, not submodules.
        ref: ${{ github.event.workflow_run.head_branch }}

    - name: Download build artifact
      if: (steps.skip_check.outputs.should_skip != 'true') && success()
      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
      id: download_artifact
      with:
        name: ${{inputs.build_artifact}} ${{matrix.configurations}}
        path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}

    - name: Exclude external files
      if: steps.skip_check.outputs.should_skip != 'true'
      run: |
        pushd ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
        Remove-Item @("clang_rt.*", "concrt*", "msvc*", "ucrt*", "vc*") -ErrorAction SilentlyContinue

    - name: Run OSSAR (Open Source Static Analysis Runner)
      if: steps.skip_check.outputs.should_skip != 'true'
      uses: github/ossar-action@c757d32d66bea728bc64e67e7d6de9696f7f37d3
      id: ossar

    - name: Upload results to Security tab
      if: steps.skip_check.outputs.should_skip != 'true'
      uses: github/codeql-action/upload-sarif@3ebbd71c74ef574dbc558c82f70e52732c8b44fe
      with:
        sarif_file: ${{ steps.ossar.outputs.sarifFile }}