matrix/.gitea/workflows/lint.yml

name: Lint

on:
  push:
    branches: ["**"]
  pull_request:
    branches: ["**"]

jobs:
  shell-lint:
    name: Shell (shellcheck)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Install shellcheck
        run: apt-get update -qq && apt-get install -y -qq shellcheck

      - name: Run shellcheck
        run: find . -name "*.sh" -exec shellcheck {} +

  js-lint:
    name: JS (eslint)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Install ESLint
        run: npm install --save-dev eslint@8

      - name: Run ESLint
        run: npx eslint --ext .js hookshot/

  python-lint:
    name: Python (ruff)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Install ruff
        run: |
          curl -sSL https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-x86_64-unknown-linux-gnu.tar.gz \
            | tar -xz ruff
          mv ruff /usr/local/bin/ruff

      - name: Check syntax errors
        run: ruff check matrixbot/ --select E9,F63,F7,F82 --output-format=github

      - name: Run full lint
        run: ruff check matrixbot/ --output-format=github

  python-audit:
    name: Python deps (pip-audit)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Install pip-audit
        run: |
          apt-get update -qq && apt-get install -y -qq python3-pip python3-venv
          python3 -m pip install pip-audit

      - name: Audit matrixbot dependencies
        run: python3 -m pip_audit -r matrixbot/requirements.txt

  secret-scan:
    name: Secret scan (gitleaks)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Install gitleaks
        run: |
          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
            | tar -xz gitleaks
          mv gitleaks /usr/local/bin/gitleaks

      - name: Scan for secrets
        run: |
          gitleaks detect --source . --redact --exit-code 1 \
            --baseline-path .gitleaks-baseline.json