name: Lint
on:
  push:
    branches:
      - trunk
    paths:
      - "**.go"
      - go.mod
      - go.sum
      - ".github/licenses.tmpl"
      - "script/licenses"
  pull_request:
    paths:
      - "**.go"
      - go.mod
      - go.sum
      - ".github/licenses.tmpl"
      - "script/licenses"
permissions:
  contents: read
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: 'go.mod'

      - name: Ensure go.mod and go.sum are up to date
        run: |
          STATUS=0
          assert-nothing-changed() {
            local diff
            "$@" >/dev/null || return 1
            if ! diff="$(git diff -U1 --color --exit-code)"; then
              printf '\e[31mError: running `\e[1m%s\e[22m` results in modifications that you must check into version control:\e[0m\n%s\n\n' "$*" "$diff" >&2
              git checkout -- .
              STATUS=1
            fi
          }
          assert-nothing-changed go mod tidy
          exit $STATUS

      - name: golangci-lint
        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
          version: v2.11.0

      # Verify that license generation succeeds for all release platforms (GOOS/GOARCH).
      # This catches issues like new dependencies with unrecognized licenses before release time.
      #
      # actions/setup-go does not setup the installed toolchain to be preferred over the system install,
      # which causes go-licenses to raise "Package ... does not have module info" errors.
      # For more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
      - name: Verify license generation
        run: |
          export GOROOT=$(go env GOROOT)
          export PATH=${GOROOT}/bin:$PATH
          make licenses-check

  # Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
  govulncheck:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: 'go.mod'

      # `govulncheck` exits unsuccessfully if vulnerabilities are found, providing results in stdout.
      # See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
      #
      # On go1.25+, To make `-mode binary` work we need to make sure the binary is built with `go build -buildvcs=false`
      # Since our builds do not use `-buildvcs=false`, we run in source mode here instead.
      - name: Check Go vulnerabilities
        run: |
          go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 ./...