name: Lint Release PR

on:
  pull_request:
    branches:
      - release
      - release-proxy
      - release-compute

permissions:
  contents: read

jobs:
  lint-release-pr:
    runs-on: ubuntu-22.04
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit

      - name: Checkout PR branch
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0  # Fetch full history for git operations
          ref: ${{ github.event.pull_request.head.ref }}

      - name: Run lint script
        env:
          RELEASE_BRANCH: ${{ github.base_ref }}
        run: |
          ./.github/scripts/lint-release-pr.sh