name: Test and lint workflows
on:
  push:
    branches: ['master']
  # This workflow contains required checks and needs to run for EVERY pull_request
  pull_request:
    branches: ['**']

permissions: {}

concurrency:
  group: test-workflows-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

env:
  ACTIONLINT_VERSION: "1.7.12"
  ACTIONLINT_SHA256SUM: 8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8
  ACTIONLINT_REPO: rhysd/actionlint
  GH_TELEMETRY: "false"

jobs:
  check:
    # Required check; do not change name
    name: Check workflows
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false

      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          python-version: "3.13"  # Keep this in sync with release.yml's prepare job

      - name: Install Python dependencies
        run: |
          python -m pip install -U --require-hashes -r "bundle/requirements/requirements-pip.txt"
          python -m pip install -U --require-hashes -r "bundle/requirements/requirements-pyflakes.txt"
          python -m pip install -U --require-hashes -r "bundle/requirements/requirements-test.txt"

      - name: Install requirements
        env:
          GH_TOKEN: ${{ github.token }}
          ACTIONLINT_TARBALL: ${{ format('actionlint_{0}_linux_amd64.tar.gz', env.ACTIONLINT_VERSION) }}
        shell: bash
        run: |
          sudo apt -y install shellcheck
          gh release download \
            --repo "${ACTIONLINT_REPO}" \
            --pattern "${ACTIONLINT_TARBALL}" \
            "v${ACTIONLINT_VERSION}"
          gh attestation verify \
            --repo "${ACTIONLINT_REPO}" \
            "${ACTIONLINT_TARBALL}"
          printf '%s  %s' "${ACTIONLINT_SHA256SUM}" "${ACTIONLINT_TARBALL}" | sha256sum -c -
          tar xvzf "${ACTIONLINT_TARBALL}" actionlint
          sudo install -D --mode=755 actionlint /usr/bin/

      - name: Run actionlint
        run: |
          actionlint -color

      - name: Check Docker shell scripts
        run: |
          shellcheck bundle/docker/linux/*.sh

      - name: Test GHA devscripts
        run: |
          pytest -Werror --tb=short --color=yes devscripts/setup_variables_tests.py

  zizmor:
    # Required check; do not change name
    name: Run zizmor
    permissions:
      contents: read
      actions: read  # Needed by zizmorcore/zizmor-action if repository is private
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false

      - name: Run zizmor
        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e  # v0.5.3
        with:
          advanced-security: false
          persona: pedantic