From fd4df414f1173557012e32fdeeed2b7014816936 Mon Sep 17 00:00:00 2001
From: Michael Vorburger <vorburger@google.com>
Date: Thu, 26 Oct 2023 11:46:51 +0200
Subject: [PATCH] Merge CodeQL & Build GitHub Actions (re. #2294)

This is actually MORE (not less) efficient, because
those 2 actions (partially) did the same thing anyway,
so there really is no benefit to separately run them
in parallel, other than increased resource usage, and
more complexity to understand this project's CI.
---
 .github/workflows/build.yml   | 44 +++++++++++++++++++++++++-----
 .github/workflows/codeql.yaml | 51 -----------------------------------
 2 files changed, 37 insertions(+), 58 deletions(-)
 delete mode 100644 .github/workflows/codeql.yaml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9ffbca252b..a9b39f298c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: "GitHub Actions: Build"
+name: "Build"
 
 # Controls when the action will run. Triggers the workflow on push or pull request
 # events for the `master` branch
@@ -22,18 +22,34 @@ on:
     tags:
       build*
   pull_request:
+    # The branches below must be a subset of the branches above
     branches: [ master ]
+  schedule:
+    # Run once a week (even if no new code or PRs) to detect random regressions
+    - cron: '32 13 * * 2'
+
 env:
   # Allow precise monitoring of the save/restore of Gradle User Home by `gradle-build-action`
   # See https://github.com/marketplace/actions/gradle-build-action?version=v2.1.1#cache-debugging-and-analysis
   GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
   GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: "fhir" # change this to invalidate cache
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+
+  # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # Build will compile APK, test APK and run tests, lint, etc.
   build:
-
     runs-on: ubuntu-22.04-8core
+    timeout-minutes: 60
+    permissions:
+      actions: read
+      contents: read
+      # Required by codeql-action
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
@@ -49,17 +65,31 @@ jobs:
           # Fetch origin/master for spotless ratchet to work
           # https://github.com/diffplug/spotless/issues/1242
           fetch-depth: 0
+
       - name: Setup machine
         uses: ./.github/actions/commonSetup
 
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Build (minimal, for CodeQL) with Gradle
+        run: ./gradlew --scan --full-stacktrace compileDebugAndroidTestSources
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
+
       - name: Spotless check
-        run: ./gradlew spotlessCheck --scan --stacktrace
+        run: ./gradlew spotlessCheck --scan --full-stacktrace
 
-      - name: Build with Gradle
-        run: ./gradlew build --scan --stacktrace
+      - name: Build (full) with Gradle
+        run: ./gradlew build --scan --full-stacktrace
 
       - name: Check with Gradle
-        run: ./gradlew check --scan --stacktrace
+        run: ./gradlew check --scan --full-stacktrace
 
       - name: Release artifacts to local repo
         run: ./gradlew publishReleasePublicationToCIRepository --scan
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
deleted file mode 100644
index 25e4197f6b..0000000000
--- a/.github/workflows/codeql.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ "master" ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "master" ]
-  schedule:
-    - cron: '32 13 * * 2'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-22.04-8core
-    timeout-minutes: 60
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'java' ]
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    - name: Switch to Java 17 from Eclipse Temurin distro
-      uses: actions/setup-java@v3
-      with:
-        java-version: 17
-        distribution: temurin
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-
-    # TODO: use Autobuild instead of ./gradlew after https://github.com/github/codeql-action/issues/1417 is fixed
-    # - name: Autobuild
-    #   uses: github/codeql-action/autobuild@v2
-    - name: Build with Gradle
-      run: ./gradlew --scan --full-stacktrace -Dorg.gradle.dependency.verification=off compileDebugAndroidTestSources
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
-      with:
-        category: "/language:${{matrix.language}}"