Merge CodeQL & Build GitHub Actions (re. google#2294) (google#2307)

This is actually MORE (not less) efficient, because
those 2 actions (partially) did the same thing anyway,
so there really is no benefit to separately run them
in parallel, other than increased resource usage, and
more complexity to understand this project's CI.

.github/workflows/build.yml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: "GitHub Actions: Build"
+name: "Build"
 
 # Controls when the action will run. Triggers the workflow on push or pull request
 # events for the `master` branch
@@ -22,18 +22,34 @@ on:
  tags:
  build*
  pull_request:
+ # The branches below must be a subset of the branches above
  branches: [ master ]
+ schedule:
+ # Run once a week (even if no new code or PRs) to detect random regressions
+ - cron: '32 13 * * 2'
+
 env:
  # Allow precise monitoring of the save/restore of Gradle User Home by `gradle-build-action`
  # See https://github.com/marketplace/actions/gradle-build-action?version=v2.1.1#cache-debugging-and-analysis
  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: "fhir" # change this to invalidate cache
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+
+ # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
  # Build will compile APK, test APK and run tests, lint, etc.
  build:
-
  runs-on: ubuntu-22.04-8core
+ timeout-minutes: 60
+ permissions:
+ actions: read
+ contents: read
+ # Required by codeql-action
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'java' ]
 
  # Steps represent a sequence of tasks that will be executed as part of the job
  steps:
@@ -49,17 +65,31 @@ jobs:
  # Fetch origin/master for spotless ratchet to work
  # https://github.com/diffplug/spotless/issues/1242
  fetch-depth: 0
+
  - name: Setup machine
  uses: ./.github/actions/commonSetup
 
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ languages: ${{ matrix.language }}
+
+ - name: Build (minimal, for CodeQL) with Gradle
+ run: ./gradlew --scan --full-stacktrace compileDebugAndroidTestSources
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2
+ with:
+ category: "/language:${{matrix.language}}"
+
  - name: Spotless check
- run: ./gradlew spotlessCheck --scan --stacktrace
+ run: ./gradlew spotlessCheck --scan --full-stacktrace
 
- - name: Build with Gradle
- run: ./gradlew build --scan --stacktrace
+ - name: Build (full) with Gradle
+ run: ./gradlew build --scan --full-stacktrace
 
  - name: Check with Gradle
- run: ./gradlew check --scan --stacktrace
+ run: ./gradlew check --scan --full-stacktrace
 
  - name: Release artifacts to local repo
  run: ./gradlew publishReleasePublicationToCIRepository --scan