# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates a collection of open source static analysis tools
# with GitHub code scanning. For documentation, or to provide feedback, visit
# https://github.com/github/ossar-action
name: OSSAR

on:
  push:
    branches: [ "main" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "main" ]
  schedule:
    - cron: '0 0 * * *'

permissions:
  contents: read

jobs:
  OSSAR-Scan:
    # OSSAR runs on windows-latest.
    # ubuntu-latest and macos-latest support coming soon
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    runs-on: windows-latest

    steps:

    - name: Enable long paths in Git
      run: git config --system core.longpaths true

    - name: Checkout repository
      uses: actions/checkout@v4
      with:
        clean: true
        fetch-depth: 1  # Fetch only the latest commit

    # Ensure a compatible version of dotnet is installed.
    # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
    # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
    # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped.
    # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action:
    # - name: Install .NET
    #   uses: actions/setup-dotnet@v4
    #   with:
    #     dotnet-version: '3.1.x'

      # Run open source static analysis tools
    - name: Run OSSAR
      uses: github/ossar-action@v1
      id: ossar

      # Upload results to the Security tab
    - name: Upload OSSAR results
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: ${{ steps.ossar.outputs.sarifFile }}


    # Added this to protect failed checks
    - name: Fail on findings
      if: steps.ossar.outputs.exit_code != '0'
      run: exit 1