name: PR Validation

on:
  pull_request:
    branches: [main]

jobs:
  validate:
    runs-on: runners-privilegedescalation
    timeout-minutes: 5

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Install actionlint
        run: |
          ACTIONLINT_VERSION="1.7.7"
          mkdir -p "$HOME/.local/bin"
          curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
            | tar -xz -C "$HOME/.local/bin" actionlint
          echo "$HOME/.local/bin" >> "$GITHUB_PATH"

      - name: Validate workflow YAML with actionlint
        run: actionlint -color .github/workflows/*.yaml

      - name: Install shellcheck
        run: |
          sudo apt-get update -qq && sudo apt-get install -y -qq shellcheck >/dev/null 2>&1

      - name: Shellcheck scripts
        run: |
          if ls .github/scripts/*.sh 1>/dev/null 2>&1; then
            for script in .github/scripts/*.sh; do
              echo "Checking ${script}..."
              shellcheck --severity=warning "$script"
            done
          else
            echo "No shell scripts to check"
          fi