Autosync Crowdin Translations (#4494) #3

	name: Scan Protected Branches On Push

	on:
	workflow_dispatch:
	push:
	branches:
	- "main"

	jobs:
	sast:
	name: SAST scan
	runs-on: ubuntu-24.04
	permissions:
	contents: read
	security-events: write

	steps:
	- name: Check out repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0

	- name: Scan with Checkmarx
	uses: checkmarx/ast-github-action@b74e8d514feae4ad5ad2b43e72590935bd2daf5f # 2.0.39
	with:
	project_name: ${{ github.repository }}
	cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
	base_uri: https://ast.checkmarx.net/
	cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
	cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
	additional_params: \|
	--report-format sarif \
	--filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
	--output-path .

	- name: Upload Checkmarx results to GitHub
	uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
	with:
	sarif_file: cx_result.sarif

	quality:
	name: Quality scan
	runs-on: ubuntu-24.04
	permissions:
	contents: read

	steps:
	- name: Check out repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0

	- name: Scan with SonarCloud
	uses: sonarsource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
	env:
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	with:
	args: >
	-Dsonar.organization=${{ github.repository_owner }}
	-Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}

Provide feedback