name: Lint

on:
  push:
    branches: [main]
  pull_request:

jobs:
  ksvalidate:
    name: Kickstart syntax
    runs-on: ubuntu-24.04
    container:
      image: registry.fedoraproject.org/fedora:43
    steps:
      - uses: actions/checkout@v4
      - run: dnf -y install pykickstart
      - run: ksvalidator kickstart/veilor-os.ks

  shellcheck:
    name: Shell scripts
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: ludeeus/action-shellcheck@master
        with:
          severity: warning
          ignore_paths: build/cache .github

  brand-leak:
    name: No personal/onyx leaks
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - name: Grep for leaks
        run: |
          set -e
          # Allow audit greps that explicitly check for the patterns
          MATCHES=$(grep -rIni \
            -e 'onyx' \
            -e '192\.168\.0\.' \
            -e 'fedora\.local' \
            -e 'xynki\.dev' \
            --exclude-dir=.git \
            --exclude='*.md' \
            . || true)

          # Filter out self-referencing leak-detection grep patterns + audit text.
          # Lines that contain the bash escaped grep pattern (onyx\|192\.168) are
          # the leak detectors themselves, not leaks.
          LEAKS=$(echo "$MATCHES" | grep -v \
            -e 'should not contain' \
            -e 'returns zero' \
            -e 'audit grep' \
            -e "'onyx\\\\\\\\\\\\|" \
            -e 'onyx\\|' \
            -e "name:.*onyx leaks" \
            -e "-e 'onyx'" \
            || true)

          if [[ -n "$LEAKS" ]]; then
            echo "::error::Brand leaks detected"
            echo "$LEAKS"
            exit 1
          fi
          echo "no leaks ✓"