name: Lint

on:
  workflow_call:
  workflow_dispatch:

permissions:
  contents: read

jobs:
  lint-actions:
    name: Lint GitHub Actions
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Run actionlint
        run: docker run --rm -v "$PWD:/repo" -w /repo rhysd/actionlint:latest

  lint-python:
    name: Lint Python
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"

      - name: Install lint dependencies
        run: |
          python -m pip install --upgrade pip
          pip install ".[dev]"

      - name: Ruff lint
        run: ruff check .

      - name: Ruff format check
        run: ruff format --check .

  lint-docker:
    name: Lint Dockerfile
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Run hadolint
        id: hadolint
        continue-on-error: true
        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5
        with:
          dockerfile: ./Dockerfile
          format: sarif
          output-file: hadolint-results.sarif
          failure-threshold: warning

      - name: Upload hadolint SARIF
        if: always() && github.event_name == 'push'
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: hadolint-results.sarif
          wait-for-processing: true
          category: hadolint

      - name: Fail on hadolint warnings
        if: always()
        run: python3 utils/check_hadolint_sarif.py hadolint-results.sarif