name: CI — CoM Config Validation

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

permissions:
  contents: read
  security-events: write

jobs:
  validate-json:
    name: Validate JSON Configs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Validate settings.json
        run: |
          echo "Validating JSON files..."
          for f in $(find . -name '*.json' -not -path './.git/*' -not -path './node_modules/*'); do
            echo "Checking $f"
            python3 -m json.tool "$f" > /dev/null || { echo "INVALID JSON: $f"; exit 1; }
          done
          echo "All JSON files valid."

  validate-yaml:
    name: Validate YAML Configs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install yamllint
        run: pip install yamllint

      - name: Lint YAML files
        run: |
          yamllint -d "{extends: relaxed, rules: {line-length: {max: 150}}}" .github/

  lint-shell:
    name: Lint Shell Scripts
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install shellcheck
        run: sudo apt-get install -y shellcheck

      - name: Run shellcheck on hooks
        run: |
          echo "Linting hook scripts..."
          for f in hooks/*.sh; do
            if [ -f "$f" ]; then
              echo "Checking $f"
              shellcheck -x "$f" || exit 1
            fi
          done
          echo "All shell scripts pass."

  secret-scan:
    name: Secret Detection
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

  markdown-lint:
    name: Lint Markdown
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Lint Markdown files
        uses: DavidAnson/markdownlint-cli2-action@v19
        with:
          globs: "**/*.md"
          config: |
            {
              "MD013": false,
              "MD033": false,
              "MD041": false,
              "MD024": false
            }

  codeowners-validate:
    name: Validate CODEOWNERS
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check CODEOWNERS syntax
        run: |
          if [ -f .github/CODEOWNERS ]; then
            echo "CODEOWNERS file exists and is readable."
            # Basic validation: check that all referenced users/teams exist format
            grep -E '^[^#]' .github/CODEOWNERS | while read -r line; do
              echo "Rule: $line"
            done
            echo "CODEOWNERS validation passed."
          fi