caddy/.github/workflows/lint.yml

name: Lint

on:
  push:
    branches:
      - master
      - 2.*
  pull_request:
    branches:
      - master
      - 2.*

permissions:
  contents: read

env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local

jobs:
  # From https://github.com/golangci/golangci-lint-action
  golangci:
    permissions:
      contents: read # for actions/checkout to fetch code
      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
    name: lint
    strategy:
      matrix:
        os:
          - linux
          - mac
          - windows

        include:
        - os: linux
          OS_LABEL: ubuntu-latest

        - os: mac
          OS_LABEL: macos-14

        - os: windows
          OS_LABEL: windows-latest

    runs-on: ${{ matrix.OS_LABEL }}

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit

      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: '~1.26'
          check-latest: true

      - name: golangci-lint
        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
        with:
          version: latest

          # Windows times out frequently after about 5m50s if we don't set a longer timeout.
          args: --timeout 10m

          # Optional: show only new issues if it's a pull request. The default value is `false`.
          # only-new-issues: true

  govulncheck:
    permissions:
      contents: read
      pull-requests: read
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit

      - name: govulncheck
        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
        with:
          go-version-input: '~1.26.0'
          check-latest: true
  
  dependency-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit

      - name: 'Checkout Repository'
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
        with:
          comment-summary-in-pr: on-failure
          # https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566
          base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}