# Run 'make check' on paths ignored by test-core.yaml.
name: Run checks
on:
  pull_request:
    paths:
      - 'demo/**'
      - 'e2e/terraform/**'
      - 'terraform/**'
      - 'website/**'
  push:
    branches:
      - 'main'
      - 'release/**'
    paths:
      - 'demo/**'
      - 'e2e/terraform/**'
      - 'terraform/**'
      - 'website/**'
  workflow_call:

jobs:
  checks:
    # largest available self-hosted disk for extra iops because linting is io-intensive
    runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux", "disk_gb=255", "type=m7a.2xlarge;m6a.2xlarge"]') || 'custom-linux-xl-nomad-22.04' }}
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0 # needs tags for checkproto
      - name: Retrieve Vault-hosted Secrets
        if: endsWith(github.repository, '-enterprise')
        id: vault
        uses: hashicorp/vault-action@a1b77a09293a4366e48a5067a86692ac6e94fdc0 # v3.1.0
        with:
          url: ${{ vars.CI_VAULT_URL }}
          method: ${{ vars.CI_VAULT_METHOD }}
          path: ${{ vars.CI_VAULT_PATH }}
          jwtGithubAudience: ${{ vars.CI_VAULT_AUD }}
          secrets: |-
            kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
      - name: Git config token
        if: endsWith(github.repository, '-enterprise')
        run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
        with:
          cache: ${{ contains(runner.name, 'Github Actions') }}
          go-version-file: .go-version
          cache-dependency-path: '**/go.sum'
      - name: Run make check
        run: |
          make missing
          make bootstrap
          make check
permissions:
  contents: read
  id-token: write