name: Lint

on:
  push:
    branches:
      - master
      - 2.*
  pull_request:
    branches:
      - master
      - 2.*

permissions:
  contents: read

env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local

jobs:
  # From https://github.com/golangci/golangci-lint-action
  golangci:
    permissions:
      contents: read # for actions/checkout to fetch code
      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
    name: lint
    strategy:
      matrix:
        os:
          - linux
          - mac
          - windows

        include:
        - os: linux
          OS_LABEL: ubuntu-latest

        - os: mac
          OS_LABEL: macos-14

        - os: windows
          OS_LABEL: windows-latest

    runs-on: ${{ matrix.OS_LABEL }}

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version: '~1.24'
          check-latest: true

      - name: golangci-lint
        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest

          # Windows times out frequently after about 5m50s if we don't set a longer timeout.
          args: --timeout 10m

          # Optional: show only new issues if it's a pull request. The default value is `false`.
          # only-new-issues: true

  govulncheck:
    permissions:
      contents: read
      pull-requests: read
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
        with:
          egress-policy: audit

      - name: govulncheck
        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
        with:
          go-version-input: '~1.24.1'
          check-latest: true
  
  dependency-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
        with:
          egress-policy: audit

      - name: 'Checkout Repository'
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
        with:
          comment-summary-in-pr: on-failure
          # https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566
          base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}