.github/workflows/codacy.yml

name: Codacy
permissions: read-all
on: [ push, pull_request ]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.codacy.com:443
            api.github.com:443
            auth.docker.io:443
            github.com:443
            golang.org:443
            objects.githubusercontent.com:443
            production.cloudflare.docker.com:443
            raw.githubusercontent.com:443
            registry-1.docker.io:443
            *.blob.core.windows.net:443
      - name: Checkout code
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - name: Run Codacy Analysis
        uses: codacy/codacy-analysis-cli-action@master
        continue-on-error: true
        with:
          format: sarif
          output: results.sarif
          gh-code-scanning-compat: true
          max-allowed-issues: 2147483647
      - name: Check file existence
        id: check_files
        uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b # v2.0.0
        with:
          files: results.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
        if: steps.check_files.outputs.files_exists == 'true'
        with:
          sarif_file: results.sarif