esp32-hacking/.gitea/workflows/lint.yml

name: Lint & Build

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  build:
    name: Build Firmware
    runs-on: anvil
    container:
      image: docker.io/espressif/idf:v5.3
    steps:
      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Build firmware
        run: |
          cd get-started/csi_recv_router
          idf.py build

      - name: Show binary size
        run: |
          ls -lh get-started/csi_recv_router/build/*.bin
  cppcheck:
    name: C/C++ Static Analysis
    runs-on: anvil
    container:
      image: docker.io/library/debian:bookworm-slim
    steps:
      - name: Install tools
        run: |
          apt-get update && apt-get install -y --no-install-recommends git cppcheck ca-certificates

      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Run cppcheck
        run: |
          cppcheck --enable=warning,style,performance,portability \
            --suppress=missingIncludeSystem \
            --error-exitcode=1 \
            --inline-suppr \
            -I get-started/csi_recv_router/main \
            get-started/csi_recv_router/main/*.c

  flawfinder:
    name: Security Flaw Analysis
    runs-on: anvil
    container:
      image: docker.io/library/python:3.12-slim
    steps:
      - name: Install tools
        run: |
          apt-get update && apt-get install -y --no-install-recommends git ca-certificates
          pip install --no-cache-dir flawfinder

      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Run flawfinder
        run: |
          flawfinder --minlevel=2 --error-level=4 \
            get-started/csi_recv_router/main/

  gitleaks:
    name: Secret Scanning
    runs-on: anvil
    container:
      image: docker.io/zricethezav/gitleaks:latest
    steps:
      - name: Checkout
        run: |
          git clone --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Run gitleaks
        run: gitleaks detect --source . --verbose --redact

  shellcheck:
    name: Shell Script Analysis
    runs-on: anvil
    container:
      image: docker.io/koalaman/shellcheck-alpine:stable
    steps:
      - name: Install git
        run: apk add --no-cache git

      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Find and check shell scripts
        run: |
          SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null || true)
          if [ -n "$SCRIPTS" ]; then
            echo "Checking: $SCRIPTS"
            echo "$SCRIPTS" | xargs shellcheck --severity=warning
          else
            echo "No shell scripts found, skipping"
          fi