---
name: "Dev Container Checker"

on:
    workflow_dispatch:
    push:
        paths:
            - ".devcontainer/**"
            - ".github/workflows/devcontainer-checker.yml"
        branches:
            - main
    pull_request:
        types:
            - opened
            - reopened
            - synchronize
        paths:
            - ".devcontainer/**"
            - ".github/workflows/devcontainer-checker.yml"

concurrency:
    group: ${{ github.workflow }}-${{ github.ref }}
    cancel-in-progress: true

jobs:
    dev-container-checker:
        runs-on: ubuntu-latest

        steps:
            - name: Harden Security Runner
              uses: step-security/harden-runner@v2
              with:
                  egress-policy: block
                  allowed-endpoints: >
                      *.data.mcr.microsoft.com:443
                      api.snapcraft.io:443
                      auth.docker.io:443
                      deb.debian.org:443
                      deb.debian.org:80
                      dl.yarnpkg.com:443
                      files.pythonhosted.org:443
                      ghcr.io:443
                      git.rootprojects.org:443
                      github.com:443
                      mcr.microsoft.com:443
                      nodejs.org:443
                      objects.githubusercontent.com:443
                      pkg-containers.githubusercontent.com:443
                      production.cloudflare.docker.com:443
                      pypi.org:443
                      registry-1.docker.io:443
                      registry.npmjs.org:443
                      webi.sh:443

            - name: Checkout
              uses: actions/checkout@v4

            - name: Build and run dev container task
              uses: devcontainers/ci@v0.3
              with:
                  runCmd: |
                      poe lint
                      poe test