Revert codacy workflow

.github/workflows/codacy.yml

@@ -1,6 +1,7 @@
-# Codacy Security Scan (revised: replaced docker action with codacy-cli-v2 install+analyze)
+# This workflow checks out code, performs a Codacy security scan
-# - Uses codacy-cli-v2 installer to run analyze when the docker image pre-pull succeeds
+# and integrates the results with the
-# Codacy security scan action usage and parameters, see
+# GitHub Advanced Security code scanning feature.  For more information on
+# the Codacy security scan action usage and parameters, see
 # https://github.com/codacy/codacy-analysis-cli-action.
 # For more information on Codacy Analysis CLI in general, see
 # https://github.com/codacy/codacy-analysis-cli.
@@ -11,6 +12,7 @@ on:
   push:
     branches: [ "main" ]
   pull_request:
+    # The branches below must be a subset of the branches above
     branches: [ "main" ]
   schedule:
     - cron: '44 7 * * 0'
@@ -20,22 +22,14 @@ permissions:
 
 jobs:
   codacy-security-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     name: Codacy Security Scan
     runs-on: ubuntu-latest
-
-    env:
-      CLI_VERSION: "4.0.0"
-      CODACY_CLI_V2_VERSION: ""
-      CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
-      MAX_PULL_RETRIES: 6
-      PULL_RETRY_BASE: 5
-
-    permissions:
-      contents: read
-      security-events: write
-      actions: read
-
     steps:
+      # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
         uses: actions/checkout@v4
 
@@ -43,60 +37,23 @@ jobs:
         run: |
           find . -type f -exec file --mime {} + | grep -v 'charset=utf-8' || true
 
-      - name: Pre-pull Codacy CLI Docker image
+      # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
-        run: |
+      - name: Run Codacy Analysis CLI
-          set -euo pipefail
+        uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
-          IMAGE="codacy/codacy-analysis-cli:${CLI_VERSION}"
+        with:
-          echo "CODACY_DOCKER_OK=false" >> $GITHUB_ENV
+          # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
-          for i in $(seq 1 $MAX_PULL_RETRIES); do
+          # You can also omit the token and run the tools that support default configurations
-            echo "Attempt $i to pull $IMAGE"
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
-            if docker pull "$IMAGE"; then
+          verbose: true
-              echo "Successfully pulled $IMAGE"
+          output: results.sarif
-              echo "CODACY_DOCKER_OK=true" >> $GITHUB_ENV
+          format: sarif
-              break
+          # Adjust severity of non-security issues
-            fi
+          gh-code-scanning-compat: true
-            if [ "$i" -lt "$MAX_PULL_RETRIES" ]; then
+          # Force 0 exit code to allow SARIF file generation
-              sleep_time=$(( PULL_RETRY_BASE * 2 ** (i - 1) + RANDOM % 5 + 1 ))
+          # This will handover control about PR rejection to the GitHub side
-              echo "Retrying in $sleep_time seconds..."
+          max-allowed-issues: 2147483647
-              sleep "$sleep_time"
-            else
-              echo "Failed to pull $IMAGE after $i attempts."
-            fi
-          done
-
-      - name: Run Codacy CLI v2 (Install and Analyze)
-        if: env.CODACY_DOCKER_OK == 'true'
-        run: |
-          set -euo pipefail
-          echo "Installing codacy-cli-v2"
-          curl -Ls https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh | bash
-          echo "Verifying installation directory"
-          ls -alh $HOME/.codacy/bin || { echo "Installation directory does not exist"; exit 1; }
-          echo "Adding codacy-cli to PATH"
-          export PATH="$HOME/.codacy/bin:$PATH"
-          echo "Verifying codacy-cli command"
-          which codacy-cli || { echo "codacy-cli not found in PATH"; exit 1; }
-          echo "Running codacy-cli analyze"
-          codacy-cli analyze --format sarif --output results.sarif \
-            --project-token "${CODACY_PROJECT_TOKEN}" --gh-code-scanning-compat --verbose || true
-
-      - name: Run Codacy Analysis CLI (Fallback)
-        if: env.CODACY_DOCKER_OK != 'true'
-        run: |
-          set -euo pipefail
-          echo "Fallback to GitHub Releases API"
-          RELEASE_URL="https://api.github.com/repos/codacy/codacy-analysis-cli/releases/tags/${CLI_VERSION}"
-          RELEASE=$(curl -sS "$RELEASE_URL")
-          ASSET_URL=$(echo "$RELEASE" | jq -r '.assets[] | select(.name | test(".*\\.zip$")) | .browser_download_url')
-          if [ -z "$ASSET_URL" ]; then
-            echo "::error::No suitable asset found"
-            exit 1
-          fi
-          curl -L -o codacy-cli.zip "$ASSET_URL"
-          unzip codacy-cli.zip
-          ./codacy-analysis-cli analyze --format sarif --output results.sarif \
-            --project-token "${CODACY_PROJECT_TOKEN}" --gh-code-scanning-compat --verbose || true
 
+      # Upload the SARIF file generated in the previous step
       - name: Upload SARIF results file
         uses: github/codeql-action/upload-sarif@v3
         with: