name: Release Checksums

# PR-time validation gate for release-affecting files. Independent of
# lint.yml — meant to harden the brittle parts (ksvalidator on the
# generated CI kickstart, shellcheck across all maintained scripts,
# YAML sanity on every workflow).
#
# This workflow does NOT replace lint.yml; it runs alongside.

on:
  pull_request:
    paths:
      - 'kickstart/**'
      - 'scripts/**'
      - '.github/workflows/**'
  push:
    branches: [main]
    paths:
      - 'kickstart/**'
      - 'scripts/**'
      - '.github/workflows/**'

jobs:
  ksvalidate:
    name: ksvalidator (CI-flavour kickstart)
    runs-on: ubuntu-24.04
    container:
      image: registry.fedoraproject.org/fedora:43
    steps:
      - uses: actions/checkout@v4

      - name: Install pykickstart
        run: dnf -y install pykickstart sed

      - name: Generate CI kickstart and validate
        run: |
          set -euxo pipefail
          # Mirror what build-iso.yml does so we're validating the file
          # the actual builder consumes, not just the source kickstart.
          sed -e '/veilor-fix/d' \
              -e '/^shutdown$/d' \
              kickstart/veilor-os.ks > kickstart/veilor-os-ci.ks
          ksvalidator kickstart/veilor-os.ks
          ksvalidator kickstart/veilor-os-ci.ks

  shellcheck:
    name: shellcheck (release scripts)
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4

      - name: shellcheck repo scripts
        uses: ludeeus/action-shellcheck@master
        with:
          severity: warning
          # Same exclusions as lint.yml so behaviour is consistent.
          ignore_paths: build/cache .github

  workflow-yaml:
    name: workflow YAML sanity
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - name: Validate every workflow parses as YAML
        run: |
          set -euo pipefail
          python3 - <<'PY'
          import sys, pathlib, yaml
          ok = True
          for p in pathlib.Path(".github/workflows").glob("*.y*ml"):
              try:
                  yaml.safe_load(p.read_text())
                  print(f"[OK] {p}")
              except yaml.YAMLError as e:
                  print(f"[ERR] {p}: {e}", file=sys.stderr)
                  ok = False
          sys.exit(0 if ok else 1)
          PY

  release-asset-budget:
    name: Release asset size budget
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - name: Confirm split threshold is below GitHub's 2 GiB asset cap
        run: |
          set -euo pipefail
          # GitHub per-asset upload limit is 2 GiB = 2147483648 bytes.
          # split is invoked with -b 1900M = 1900 * 2^20 = 1992294400 bytes.
          # Hard-fail if anyone bumps the split size beyond the cap.
          if grep -E 'split -b [0-9]+M' .github/workflows/build-iso.yml >/dev/null; then
            SIZE_M=$(grep -oE 'split -b [0-9]+M' .github/workflows/build-iso.yml | head -1 | grep -oE '[0-9]+')
            if [[ "$SIZE_M" -gt 2047 ]]; then
              echo "::error::split -b ${SIZE_M}M exceeds GitHub's 2 GiB per-asset cap"
              exit 1
            fi
            echo "[OK] split size ${SIZE_M}M is under the 2 GiB asset limit."
          else
            echo "::warning::No split -b NM directive found — release pipeline may have changed"
          fi