zeroclaw/.github/workflows/workflow-sanity.yml

name: Workflow Sanity

on:
  pull_request:
    paths:
      - ".github/workflows/**"
      - ".github/*.yml"
      - ".github/*.yaml"
  push:
    branches: [main]
    paths:
      - ".github/workflows/**"
      - ".github/*.yml"
      - ".github/*.yaml"

concurrency:
  group: workflow-sanity-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  no-tabs:
    runs-on: ${{ github.event_name == 'push' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
    timeout-minutes: 10
    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Fail on tabs in workflow files
        shell: bash
        run: |
          set -euo pipefail
          python - <<'PY'
          from __future__ import annotations

          import pathlib
          import sys

          root = pathlib.Path(".github/workflows")
          bad: list[str] = []
          for path in sorted(root.rglob("*.yml")):
            if b"\t" in path.read_bytes():
              bad.append(str(path))
          for path in sorted(root.rglob("*.yaml")):
            if b"\t" in path.read_bytes():
              bad.append(str(path))

          if bad:
            print("Tabs found in workflow file(s):")
            for path in bad:
              print(f"- {path}")
            sys.exit(1)
          PY

  actionlint:
    runs-on: ${{ github.event_name == 'push' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
    timeout-minutes: 10
    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Lint GitHub workflows
        uses: rhysd/actionlint@393031adb9afb225ee52ae2ccd7a5af5525e03e8 # v1.7.11