name: Static Analysis
on:
  workflow_call:
  pull_request:
    types: [edited]

jobs:
  pr-lint:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-24.04
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    permissions:
      pull-requests: read
    steps:
      - name: Enforce PR title length <= 64
        # Don't run for Dependabot PRs
        if: ${{ !contains(github.event.pull_request.head.label, 'dependabot') }}
        env:
          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
          REPOSITORY_NAME: ${{ github.repository }}
        run: |
          PR_TITLE=$(gh pr view "$PULL_REQUEST_NUMBER" --repo "$REPOSITORY_NAME" --json title -q '.title')

          pr_title_length=${#PR_TITLE}

          # 64 instead of 72 because GitHub adds the PR number to the title
          if [ "$pr_title_length" -gt 64 ]; then
            echo "PR title too long. Please keep it under 64 characters."
            exit 1
          fi
      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 #v6.1.1

  version-check:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Check version is up to date
        run: |
          ./scripts/bump-versions.sh
          if [ -z "$(git status --porcelain)" ]; then
            # Working directory clean
            echo "Version manifests up to date"
          else
            # Uncommitted changes
            echo "'scripts/bump-versions.sh' found outdated files! Showing diff"
            git diff
            exit 1
          fi

  link-check:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1
        with:
          fail: true
          args: --offline --verbose --no-progress **/*.md

  actionlint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc # v2.0.1

  global-linter:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.11"
      - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        name: Restore Python Cache
        id: cache
        with:
          path: ~/.cache/pip
          key: ubuntu-24.04-${{ runner.arch }}-pip-${{ hashFiles('.github/requirements.txt') }}
      - name: Install Python Dependencies
        run: |
          pip install -r .github/requirements.txt
      - uses: ./.github/actions/setup-node
        with:
          npmjs-token: ${{ secrets.NPMJS_TOKEN }}
          lockfile-dir: ./.github
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y shfmt
          pnpm i --frozen-lockfile --dir ./.github
      - name: Run pre-commit
        run: |
          pre-commit install --config .github/pre-commit-config.yaml
          SKIP=no-commit-to-branch pre-commit run --all-files --config .github/pre-commit-config.yaml
      - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        if: ${{ steps.cache.outputs.cache-hit != 'true'}}
        name: Save Python Cache
        with:
          path: ~/.cache/pip
          key: ${{ steps.cache.outputs.cache-primary-key }}