# Copyright (C) Project Tick
# SPDX-License-Identifier: MIT
#
# Fast lint & commit checks — called from ci.yml before builds start.

name: "Lint & Checks"

on:
  workflow_call:
    inputs:
      run-level:
        description: "minimal | standard | full"
        required: true
        type: string
      changed-projects:
        description: "Comma-separated list of changed projects"
        required: false
        type: string
        default: ""

permissions:
  contents: read

jobs:
  # ── Commit message lint (Conventional Commits) ──────────────────
  commit-lint:
    name: "Commit Messages"
    runs-on: ubuntu-latest
    steps:
      - name: Harden runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 22

      - name: Install dependencies
        working-directory: ci/github-script
        run: npm ci

      - name: Lint commit messages
        uses: actions/github-script@v7
        with:
          script: |
            const lint = require('./ci/github-script/lint-commits.js')
            await lint({ github, context, core, repoPath: '.' })

  # ── REUSE / license compliance ──────────────────────────────────
  reuse:
    name: "REUSE Compliance"
    runs-on: ubuntu-latest
    steps:
      - name: Harden runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@v6

      - name: Check REUSE compliance
        uses: fsfe/reuse-action@v6

  # ── Whitespace & formatting checks ─────────────────────────────
  whitespace:
    name: "Whitespace"
    runs-on: ubuntu-latest
    steps:
      - name: Harden runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@v6

      - name: Check trailing whitespace
        run: |
          set -euo pipefail
          ERRORS=$(git diff --check HEAD~1 HEAD -- \
            ':!*.patch' \
            ':!*/test/data/*' \
            ':!*.ico' \
            ':!*.png' \
            ':!*.jpg' \
            ':!*.gif' \
            ':!*.bin' \
            ':!*.7z' \
            ':!*.zip' \
            ':!*.gz' \
            ':!*.lock' \
            2>/dev/null || true)
          if [[ -n "$ERRORS" ]]; then
            echo "::warning::Whitespace issues found:"
            echo "$ERRORS"
          fi

  # ── Actionlint (validate all workflow YAML) ─────────────────────
  actionlint:
    name: "Actionlint"
    runs-on: ubuntu-latest
    steps:
      - name: Harden runner
        uses: step-security/harden-runner@v2
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@v6

      - name: Run actionlint
        uses: raven-actions/actionlint@v2
        with:
          matcher: true