name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Run CodeQL scan every Monday at 14:20 UTC
    - cron: "20 14 * * 1"

jobs:
  codeql-analysis:
    name: CodeQL Security Scan
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
          go-version: "1.25"
          cache: true

      - name: Verify Go installation
        run: |
          echo "Go version: $(go version)"
          echo "Go path: $(which go)"
          echo "GOROOT: $GOROOT"

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: go
          # CodeQL will use the Go version installed by setup-go above
          # Optionally use security-extended for more comprehensive scanning
          # queries: security-extended

      - name: Install dependencies
        run: go mod download

      - name: Build for analysis
        run: go build -v ./...

      - name: Perform CodeQL Analysis
        id: codeql-analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "backend-security"
        continue-on-error: true

      - name: Check CodeQL Results
        if: steps.codeql-analysis.outcome == 'failure'
        run: |
          echo "⚠️ CodeQL analysis completed with warnings/errors"
          echo "This may be due to:"
          echo "  1. Code scanning not enabled in repository settings"
          echo "  2. Security alerts that need review"
          echo ""
          echo "To enable code scanning:"
          echo "  Go to Settings > Security > Code security and analysis"
          echo "  Click 'Set up' under Code scanning"
          echo ""
          echo "Analysis results are still available in the workflow artifacts."