name: "CodeQL"

on:

push:

branches:

- master

- 'release/**'

pull_request:

# The branches below must be a subset of the branches above

branches:

- master

- 'release/**'

schedule:

#daily at 01:19 UTC

- cron: '19 1 * * *'

jobs:

analyze:

name: Analyze

runs-on: ubuntu-latest

permissions:

actions: read

contents: read

security-events: write

steps:

- name: Checkout repository

uses: actions/checkout@v6

with:

persist-credentials: false

# Initializes the CodeQL tools for scanning.

- name: Initialize CodeQL

uses: github/codeql-action/init@v4

with:

languages: java

- name: Set up JDK 25

uses: actions/setup-java@v5

with:

java-version: 25

distribution: temurin

check-latest: true

cache: maven

- name: Build with Maven

# Skip tests, code style, etc. This is handled in the regular CI workflows.

run: |

mvn clean package -B -V \

-DskipTests \

-Dgpg.skip \

-Dcheckstyle.skip \

-Denforcer.skip \

-Dmaven.javadoc.skip \

-Dspotless.check.skip=true \

-Danimal.sniffer.skip=true \

compile \

test-compile

- name: Perform CodeQL Analysis

uses: github/codeql-action/analyze@v4