name: Lint
permissions:
  contents: read

on:
  push:
    branches: ["main"]
  pull_request:

jobs:
  markdownlint:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 1

      - name: Run git diff --check
        shell: bash
        env:
          EVENT_NAME: ${{ github.event_name }}
          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          PUSH_BEFORE_SHA: ${{ github.event.before }}
          GITHUB_SHA: ${{ github.sha }}
        run: |
          set -euo pipefail

          if [ "$EVENT_NAME" = "pull_request" ]; then
            git fetch --no-tags --depth=1 origin "+${PR_BASE_SHA}:refs/checks/pr-base"
            git diff --check refs/checks/pr-base HEAD
          elif [ "$PUSH_BEFORE_SHA" = "0000000000000000000000000000000000000000" ]; then
            git diff-tree --check --no-commit-id --root -r "$GITHUB_SHA"
          else
            git fetch --no-tags --depth=1 origin "+${PUSH_BEFORE_SHA}:refs/checks/push-before"
            git diff --check refs/checks/push-before HEAD
          fi

      - name: Run markdownlint-cli2
        uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23
        with:
          globs: |
            '**/*.md'
            !extensions/**/*.md