name: Workflow Sanity

on:
  pull_request:
  push:
    branches: [main]

concurrency:
  group: workflow-sanity-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
  no-tabs:
    runs-on: blacksmith-16vcpu-ubuntu-2404
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Fail on tabs in workflow files
        run: |
          python - <<'PY'
          from __future__ import annotations

          import pathlib
          import sys

          root = pathlib.Path(".github/workflows")
          bad: list[str] = []
          for path in sorted(root.rglob("*.yml")):
            if b"\t" in path.read_bytes():
              bad.append(str(path))

          for path in sorted(root.rglob("*.yaml")):
            if b"\t" in path.read_bytes():
              bad.append(str(path))

          if bad:
            print("Tabs found in workflow file(s):")
            for path in bad:
              print(f"- {path}")
            sys.exit(1)
          PY

  actionlint:
    runs-on: blacksmith-16vcpu-ubuntu-2404
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install actionlint
        shell: bash
        run: |
          set -euo pipefail
          ACTIONLINT_VERSION="1.7.11"
          archive="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
          base_url="https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}"
          curl -sSfL -o "${archive}" "${base_url}/${archive}"
          curl -sSfL -o checksums.txt "${base_url}/actionlint_${ACTIONLINT_VERSION}_checksums.txt"
          grep " ${archive}\$" checksums.txt | sha256sum -c -
          tar -xzf "${archive}" actionlint
          sudo install -m 0755 actionlint /usr/local/bin/actionlint

      - name: Lint workflows
        run: actionlint

      - name: Disallow direct inputs interpolation in composite run blocks
        run: python3 scripts/check-composite-action-input-interpolation.py