name: Lint
on:
  push:
    branches:
      - trunk
    paths:
      - "**.go"
      - go.mod
      - go.sum
  pull_request:
    paths:
      - "**.go"
      - go.mod
      - go.sum
permissions:
  contents: read
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'

      - name: Ensure go.mod and go.sum are up to date
        run: |
          STATUS=0
          assert-nothing-changed() {
            local diff
            "$@" >/dev/null || return 1
            if ! diff="$(git diff -U1 --color --exit-code)"; then
              printf '\e[31mError: running `\e[1m%s\e[22m` results in modifications that you must check into version control:\e[0m\n%s\n\n' "$*" "$diff" >&2
              git checkout -- .
              STATUS=1
            fi
          }
          assert-nothing-changed go mod tidy
          exit $STATUS

      - name: golangci-lint
        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: v2.1.6

  # Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
  govulncheck:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'

      # `govulncheck` exits unsuccessfully if vulnerabilities are found, providing results in stdout.
      # See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
      - name: Check Go vulnerabilities
        run: |
          make
          go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary bin/gh