name: Profile Checks

on:
  push:
    branches: [ master ]
    paths:
      - 'ci/check/profiles/**'
      - 'etc/**'
      - .github/workflows/profile-checks.yml
      - contrib/sort.py
      - src/firecfg/firecfg.config
  pull_request:
    branches: [ master ]
    paths:
      - 'ci/check/profiles/**'
      - 'etc/**'
      - .github/workflows/profile-checks.yml
      - contrib/sort.py
      - src/firecfg/firecfg.config

permissions:  # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  profile-checks:
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
        disable-sudo: true
        egress-policy: block
        allowed-endpoints: >
          github.com:443

    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
    - name: sort.py
      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
    - name: private-etc-always-required.sh
      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
    - name: sort-disable-programs.sh
      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
    - name: sort-firecfg.config.sh
      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config