immich/.github/workflows/static_analysis.yml

name: Static Code Analysis
on:
  workflow_dispatch:
  pull_request:
  push:
    branches: [main]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions: {}

jobs:
  pre-job:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      should_run: ${{ steps.found_paths.outputs.mobile == 'true' || steps.should_force.outputs.should_force == 'true' }}
    steps:
      - name: Checkout code
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          persist-credentials: false
      - id: found_paths
        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            mobile:
              - 'mobile/**'
            workflow:
              - '.github/workflows/static_analysis.yml'
      - name: Check if we should force jobs to run
        id: should_force
        run: echo "should_force=${{ steps.found_paths.outputs.workflow == 'true' || github.event_name == 'release' }}" >> "$GITHUB_OUTPUT"

  mobile-dart-analyze:
    name: Run Dart Code Analysis
    needs: pre-job
    if: ${{ needs.pre-job.outputs.should_run == 'true' }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    defaults:
      run:
        working-directory: ./mobile
    steps:
      - name: Checkout code
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          persist-credentials: false

      - name: Setup Flutter SDK
        uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # v2.21.0
        with:
          channel: 'stable'
          flutter-version-file: ./mobile/pubspec.yaml

      - name: Install dependencies
        run: dart pub get

      - name: Install DCM
        uses: CQLabs/setup-dcm@8697ae0790c0852e964a6ef1d768d62a6675481a # v2.0.1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: auto
          working-directory: ./mobile

      - name: Generate translation file
        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart

      - name: Run Build Runner
        run: make build

      - name: Generate platform API
        run: make pigeon

      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            mobile/**/*.g.dart
            mobile/**/*.gr.dart
            mobile/**/*.drift.dart

      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
          CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
        run: |
          echo "ERROR: Generated files not up to date! Run 'make build' and 'make pigeon' inside the mobile directory"
          echo "Changed files: ${CHANGED_FILES}"
          exit 1

      - name: Run dart analyze
        run: dart analyze --fatal-infos

      - name: Run dart format
        run: make format

      - name: Run dart custom_lint
        run: dart run custom_lint

      # TODO: Use https://github.com/CQLabs/dcm-action
      - name: Run DCM
        run: dcm analyze lib --fatal-style --fatal-warnings

  zizmor:
    name: zizmor
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
      actions: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          persist-credentials: false

      - name: Install the latest version of uv
        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2

      - name: Run zizmor 🌈
        run: uvx zizmor --format=sarif . > results.sarif
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
        with:
          sarif_file: results.sarif
          category: zizmor