name: Run linters

on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
  push:
    branches:
      - main
      - release/**

concurrency:
  group: ${{ github.head_ref || github.run_id }}-lint
  cancel-in-progress: true

jobs:
  setup:
    name: Setup
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Ensure Go modules are cached
        uses: ./.github/actions/set-up-go
        with:
          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
          no-restore: true # don't download them on a cache hit

  deprecations:
    name: Deprecated functions
    runs-on: ubuntu-latest
    needs: setup
    if: github.base_ref == 'main'
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
      - uses: ./.github/actions/set-up-go
        with:
          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
      - uses: ./.github/actions/install-external-tools # for staticcheck
      - run: make ci-deprecations
        name: Check deprecations

  codechecker:
    name: Code checks
    runs-on: ubuntu-latest
    needs: setup
    if: github.base_ref == 'main'
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
      - uses: ./.github/actions/set-up-go
        with:
          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
      - uses: ./.github/actions/install-external-tools # for buf
        # Note: if there is a function we want to ignore the nilnil check for,
        # You can add 'ignore-nil-nil-function-check' somewhere in the
        # godoc for the function.
      - run: make ci-vet-codechecker
        name: Check custom linters
      - run: make protolint
        name: Protobuf lint

  generate-delta:
    name: Protobuf generate delta
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - uses: ./.github/actions/set-up-go
        with:
          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
      - uses: ./.github/actions/install-external-tools # for buf and protoc-*
      - name: Check generate delta
        run: make prep check-proto-delta

  format:
    name: Format
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - uses: ./.github/actions/set-up-go
        with:
          github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
      - uses: ./.github/actions/install-external-tools # for buf and gofumpt
      - name: Go format
        run: make prep check-go-fmt
      - name: Protobuf format
        run: |
          echo "Using buf version $(buf --version)"
          make check-proto-fmt

  semgrep:
    name: Semgrep
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep@sha256:cfad18cfb6536aa48ad5a71017207a10320b4e17e3b2bd7b7de27b42dc9651e7 #v1.58
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Run Semgrep Rules
        run: semgrep ci --include '*.go' --config 'tools/semgrep/ci'