org/.github/workflows/pr-validation.yaml

name: PR Validation

on:
  pull_request:
    branches: [main]

jobs:
  validate:
    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:
      - name: Checkout
        env:
          HEAD_REF: ${{ github.head_ref }}
          BASE_REF: ${{ github.base_ref }}
        run: |
          git clone --depth=1 "https://x-access-token:${{ secrets.GITEA_TOKEN }}@git.farh.net/${{ github.repository }}.git" .
          git fetch origin "$BASE_REF" --depth=1
          git fetch origin +refs/pull/*/head:refs/pull/*/head --depth=1
          git checkout "${{ github.sha }}"

      - name: Install actionlint
        run: |
          ACTIONLINT_VERSION="1.7.7"
          mkdir -p "$HOME/.local/bin"
          apt-get install -y wget -qq >/dev/null 2>&1 || true
          wget -qO- "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" \
            | tar -xz -C "$HOME/.local/bin" actionlint
          echo "$HOME/.local/bin" >> "$GITHUB_PATH"

      - name: Validate workflow YAML with actionlint
        run: actionlint -no-shellcheck -color .github/workflows/*.yaml

      - name: Install shellcheck
        run: |
          SC_VERSION="v0.10.0"
          mkdir -p "$HOME/.local/bin"
          wget -qO- "https://github.com/koalaman/shellcheck/releases/download/${SC_VERSION}/shellcheck-${SC_VERSION}.linux.x86_64.tar.xz" \
            | tar -xJ --strip-components=1 -C "$HOME/.local/bin" "shellcheck-${SC_VERSION}/shellcheck"
          echo "$HOME/.local/bin" >> "$GITHUB_PATH"

      - name: Shellcheck scripts
        run: |
          if ls .github/scripts/*.sh 1>/dev/null 2>&1; then
            for script in .github/scripts/*.sh; do
              echo "Checking ${script}..."
              shellcheck --severity=warning "$script"
            done
          else
            echo "No shell scripts to check"
          fi