# This file is synced from the `.github` repository, do not modify it directly.
name: Actionlint

on:
  push:
    branches:
      - main
      - master
  pull_request:

defaults:
  run:
    shell: bash -xeuo pipefail {0}

concurrency:
  group: "actionlint-${{ github.ref }}"
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

env:
  HOMEBREW_DEVELOPER: 1
  HOMEBREW_NO_AUTO_UPDATE: 1
  HOMEBREW_NO_ENV_HINTS: 1

permissions: {}

jobs:
  workflow_syntax:
    if: github.repository_owner == 'Homebrew'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    container:
      image: ghcr.io/homebrew/ubuntu22.04:main
    steps:
      - name: Set up Homebrew
        id: setup-homebrew
        uses: Homebrew/actions/setup-homebrew@main
        with:
          core: false
          cask: false
          test-bot: false

      - name: Install tools
        run: brew install actionlint shellcheck zizmor

      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false

      - run: zizmor --format sarif . > results.sarif
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload SARIF file
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        # We can't use the SARIF file when triggered by `merge_group` so we don't upload it.
        if: always() && github.event_name != 'merge_group'
        with:
          name: results.sarif
          path: results.sarif

      - name: Set up actionlint
        run: |
          # In homebrew-core, setting `shell: /bin/bash` prevents shellcheck from running on
          # those steps, so let's change them to `shell: bash` temporarily for better linting.
          sed -i 's|shell: /bin/bash -x|shell: bash -x|' .github/workflows/*.y*ml

          # In homebrew-core, the JSON matcher needs to be accessible to the container host.
          cp "$(brew --repository)/.github/actionlint-matcher.json" "$HOME"

          echo "::add-matcher::$HOME/actionlint-matcher.json"

      - run: actionlint

  upload_sarif:
    needs: workflow_syntax
    # We want to always upload this even if `actionlint` failed.
    # This is only available on public repositories.
    if: >
      always() &&
      !contains(fromJSON('["cancelled", "skipped"]'), needs.workflow_syntax.result) &&
      !github.event.repository.private &&
      github.event_name != 'merge_group'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Download SARIF file
        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: results.sarif
          path: results.sarif

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.5
        with:
          sarif_file: results.sarif
          category: zizmor