caddy/.github/workflows/lint.yml

name: Lint

on:
  push:
    branches:
      - master
      - 2.*
  pull_request:
    branches:
      - master
      - 2.*

permissions:
  contents: read

env:
  # https://github.com/actions/setup-go/issues/491
  GOTOOLCHAIN: local

jobs:
  # From https://github.com/golangci/golangci-lint-action
  golangci:
    permissions:
      contents: read # for actions/checkout to fetch code
      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
    name: lint
    strategy:
      matrix:
        os:
          - linux
          - mac
          - windows

        include:
        - os: linux
          OS_LABEL: ubuntu-latest

        - os: mac
          OS_LABEL: macos-14

        - os: windows
          OS_LABEL: windows-latest

    runs-on: ${{ matrix.OS_LABEL }}

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit

      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: '~1.25'
          check-latest: true

      - name: golangci-lint
        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
          version: latest

          # Windows times out frequently after about 5m50s if we don't set a longer timeout.
          args: --timeout 10m

          # Optional: show only new issues if it's a pull request. The default value is `false`.
          # only-new-issues: true

  govulncheck:
    permissions:
      contents: read
      pull-requests: read
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit

      - name: govulncheck
        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
        with:
          go-version-input: '~1.25.0'
          check-latest: true
  
  dependency-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
        with:
          egress-policy: audit

      - name: 'Checkout Repository'
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
        with:
          comment-summary-in-pr: on-failure
          # https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566
          base-ref: ${{ github.event.pull_request.base.sha || 'master' }}
          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}