name: Profile Checks

on:
  push:
    branches: [ master ]
    paths:
      - 'etc/**'
      - 'ci/check/profiles/**'
      - 'src/firecfg/firecfg.config'
      - 'contrib/sort.py'
  pull_request:
    branches: [ master ]
    paths:
      - 'etc/**'
      - 'ci/check/profiles/**'
      - 'src/firecfg/firecfg.config'
      - 'contrib/sort.py'

permissions:  # added using https://github.com/step-security/secure-workflows
  contents: read

jobs:
  profile-checks:
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
      with:
        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
    - name: sort.py
      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
    - name: private-etc-always-required.sh
      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
    - name: sort-disable-programs.sh
      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
    - name: sort-firecfg.config.sh
      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config