name: "Cpplint Scan"

on:
  push:
    branches: [ devel, release/** ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ devel, release/** ]
    paths-ignore:
      - 'docs/**'
      - '**.md'
      - '.github/actions/spelling/**'
      - '.github/ISSUE_TEMPLATE/**'

jobs:
  cpplint:
    name: Cpplint
    runs-on: ubuntu-22.04
    permissions:
      actions: read
      contents: read
      security-events: write

    steps:
      - name: "Checkout F´ Repository"
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          submodules: true
      - uses: ./.github/actions/setup

      - name: Install cpplint
        run: pip install cpplint

      - name: Install xsltproc
        run: sudo apt-get install xsltproc -y

      - name: Install sarif tool
        run: npm i -g @microsoft/sarif-multitool

      - name: Run cpplint & export output to cppcheck format
        run: cpplint --counting=detailed --quiet --recursive . 2>&1 | python3 .github/scripts/cpplint_to_cppcheckxml.py &> cpplint_cppcheck_result.xml

      - name: Convert cpplint results to SARIF
        run: npx "@microsoft/sarif-multitool" convert "cpplint_cppcheck_result.xml" --tool "CppCheck" --output "cpplint_cppcheck_result.sarif"

      - name: Convert cpplint results to Markdown & Integrate them in the workflow summary
        run: xsltproc .github/scripts/cpplint-xml2text.xslt cpplint_cppcheck_result.xml | tee $GITHUB_STEP_SUMMARY cpplint_cppcheck_result.txt

      # See https://github.com/nasa/fprime/pull/1794 for why this is needed
      - name: Replace tool name in SARIF file
        run: |
          sed -i -e 's/\"name\": \"CppCheck\"/\"name\": \"CppLint\"/g' cpplint_cppcheck_result.sarif

      - name: Upload SARIF file to GitHub Code Scanning Alerts
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ github.workspace }}/cpplint_cppcheck_result.sarif
          category: "cpplint"

      - name: Archive static analysis artifacts to download and view
        uses: actions/upload-artifact@v4
        with:
          name: cpplint-errors
          path: ./*cpplint_cppcheck_result.*

      # Make the whole step fail if there is an error detected by cpplint. By default, GitHub Actions enables the set -e.
      # See https://stackoverflow.com/questions/73066461/github-actions-why-an-intermediate-command-failure-in-shell-script-would-cause.
      # - name: Check for reported errors
      #   run: tail -n 1 cpplint_cppcheck_result.txt | grep -q '^\*\*0 error(s) reported\*\*$'