---
# https://github.com/redhat-plumbers-in-action/differential-shellcheck#readme

name: Differential ShellCheck
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

permissions:
  contents: read

jobs:
  lint:
    if: github.event.repository.name != 'systemd-security'
    runs-on: ubuntu-24.04

    permissions:
      security-events: write

    steps:
      - name: Repository checkout
        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
        with:
          fetch-depth: 0

      - name: Differential ShellCheck
        uses: redhat-plumbers-in-action/differential-shellcheck@60c9f2b924a9c5a2ddbb25e7b23e8e11b56faab9
        with:
          # exclude all `.in` files because they may contain unsupported syntax, and they have to be preprocessed first
          # TEMPORARY: exclude bash completion files, they would generate too many defects in Code scanning dashboard (600+)
          # exclude zsh completion files, zsh is not supported by ShellCheck
          exclude-path: |
            '**/*.in'
            'shell-completion/bash/*'
            'shell-completion/zsh/*'
          token: ${{ secrets.GITHUB_TOKEN }}