name: Static Analysis
on:
  workflow_call:
  pull_request:
    types: [edited]

jobs:
  pr-lint:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-22.04-xlarge
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    permissions:
      pull-requests: read
    steps:
      - name: Enforce PR title length <= 64
        # Don't run for Dependabot PRs
        if: ${{ !contains(github.event.pull_request.head.label, 'dependabot') }}
        env:
          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
          REPOSITORY_NAME: ${{ github.repository }}
        run: |
          PR_TITLE=$(gh pr view "$PULL_REQUEST_NUMBER" --repo "$REPOSITORY_NAME" --json title -q '.title')

          pr_title_length=${#PR_TITLE}

          # 64 instead of 72 because GitHub adds the PR number to the title
          if [ "$pr_title_length" -gt 64 ]; then
            echo "PR title too long. Please keep it under 64 characters."
            exit 1
          fi
      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 #v5.5.3

  version-check:
    runs-on: ubuntu-22.04-xlarge
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Check version is up to date
        run: |
          ./scripts/bump-versions.sh
          if [ -z "$(git status --porcelain)" ]; then
            # Working directory clean
            echo "Version manifests up to date"
          else
            # Uncommitted changes
            echo "'scripts/bump-versions.sh' found outdated files! Showing diff"
            git diff
            exit 1
          fi

  link-check:
    runs-on: ubuntu-22.04-xlarge
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1
        with:
          fail: true
          args: --offline --verbose --no-progress **/*.md

  actionlint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc # v2.0.1

  global-linter:
    runs-on: ubuntu-22.04-xlarge
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.11"
      - uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        name: Restore Python Cache
        id: cache
        with:
          path: ~/.cache/pip
          key: ubuntu-22.04-${{ runner.arch }}-pip-${{ hashFiles('.github/requirements.txt') }}
      - name: Install Python Dependencies
        run: |
          pip install -r .github/requirements.txt
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: 20
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y shfmt
          npm install -g prettier
      - name: Run pre-commit
        run: |
          pre-commit install --config .github/pre-commit-config.yaml
          SKIP=no-commit-to-branch pre-commit run --all-files --config .github/pre-commit-config.yaml
      - uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        if: ${{ steps.cache.outputs.cache-hit != 'true'}}
        name: Save Python Cache
        with:
          path: ~/.cache/pip
          key: ${{ steps.cache.outputs.cache-primary-key }}