# Generated by Gabo (https://github.com/ashishb/gabo)
---
# Run this locally with act - https://github.com/nektos/act
# act -j lintGitHubActions
name: Lint GitHub Actions

on:  # yamllint disable-line rule:truthy
  push:
    branches: [master, main]
    paths:
      - ".github/workflows/**.yml"
      - ".github/workflows/**.yaml"
  pull_request:
    branches: [master, main]
    paths:
      - ".github/workflows/**.yml"
      - ".github/workflows/**.yaml"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  lintGitHubActionsWithActionLint:
    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          sparse-checkout: |
            .github/workflows
          sparse-checkout-cone-mode: false

      - name: Lint GitHub Actions
        uses: reviewdog/action-actionlint@v1

      - name: Check GitHub Actions with 'actionlint'
        # Ref: https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
        # shellcheck is too noisy and disabled
        run: |
          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
          ./actionlint -color -shellcheck=
        shell: bash


  lintGitHubActionsForSecurity:
    runs-on: ubuntu-latest
    timeout-minutes: 15

    permissions:
      security-events: write
      contents: read
      actions: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false
          sparse-checkout: |
            .github/workflows
          sparse-checkout-cone-mode: false

      - name: Setup Rust
        uses: actions-rust-lang/setup-rust-toolchain@v1

      - name: Install zizmor
        run: cargo install zizmor

      - name: Run zizmor on GitHub Actions
        run: zizmor .github/workflows/*