veilor-os/.github/workflows/lint.yml

name: Lint

on:
  push:
    branches: [main]
  pull_request:

jobs:
  ksvalidate:
    name: Kickstart syntax
    runs-on: ubuntu-24.04
    container:
      image: registry.fedoraproject.org/fedora:43
    steps:
      - uses: actions/checkout@v4
      - run: dnf -y install pykickstart
      - run: ksvalidator kickstart/veilor-os.ks

  shellcheck:
    name: Shell scripts
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: ludeeus/action-shellcheck@master
        with:
          severity: warning
          ignore_paths: build/cache .github

  brand-leak:
    name: No personal/onyx leaks
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - name: Grep for leaks
        run: |
          set -e
          # Scope: ship-state source dirs only. Audit reports, CHANGELOG,
          # PR templates, test checklists, and the lint workflow itself
          # legitimately quote the forbidden strings as findings/examples
          # — they don't ship in the ISO, so they're out of scope.
          MATCHES=$(grep -rIni \
            -e 'onyx' \
            -e '192\.168\.0\.' \
            -e 'fedora\.local' \
            -e 'xynki\.dev' \
            kickstart/ overlay/ scripts/ assets/ build/ \
            || true)

          # Filter self-referencing sanity-grep lines: the kickstart and
          # post-install scripts run their own brand-leak scan against the
          # installed /etc — those grep invocations literally contain the
          # forbidden strings as patterns, not as leaked data.
          LEAKS=$(echo "$MATCHES" | grep -v \
            -e "grep .*'onyx" \
            -e '# Sanity:' \
            -e 'brand leak' \
            || true)

          if [[ -n "$LEAKS" ]]; then
            echo "::error::Brand leaks detected"
            echo "$LEAKS"
            exit 1
          fi
          echo "no leaks ✓"