# Lints and checks for potential issues in the profiles.

name: Check-Profiles

on:
  push:
    branches-ignore:
      - 'dependabot/**'
    paths:
      - 'ci/check/profiles/**'
      - 'etc/**'
      - .github/workflows/check-profiles.yml
      - ci/printenv.sh
      - contrib/sort.py
      - src/firecfg/firecfg.config
  pull_request:
    paths:
      - 'ci/check/profiles/**'
      - 'etc/**'
      - .github/workflows/check-profiles.yml
      - ci/printenv.sh
      - contrib/sort.py
      - src/firecfg/firecfg.config

permissions:  # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  profile-checks:
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
      with:
        disable-sudo: true
        egress-policy: block
        allowed-endpoints: >
          github.com:443

    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
    - name: print env
      run: ./ci/printenv.sh
    - run: python3 --version

#   - name: sort.py
#     run: >
#       ./ci/check/profiles/sort.py
#       etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
# Currently broken (see #5610)
#   - name: private-etc-always-required.sh
#     run: >
#       ./ci/check/profiles/private-etc-always-required.sh
#       etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
    - name: sort-disable-programs.sh
      run: >
        ./ci/check/profiles/sort-disable-programs.sh
        etc/inc/disable-programs.inc
    - name: sort-firecfg.config.sh
      run: >
        ./ci/check/profiles/sort-firecfg.config.sh
        src/firecfg/firecfg.config