name: Differential ShellCheck

on:
  push:
    branches:
      - main
      - 'rc/**'
    paths:
      - '**.sh'
      - 'podkop/files/usr/bin/**'
      - 'podkop/files/usr/lib/**'
      - '.github/workflows/shellcheck.yml'
  pull_request:
    branches:
      - main
      - 'rc/**'
    paths:
      - '**.sh'
      - 'podkop/files/usr/bin/**'
      - 'podkop/files/usr/lib/**'
      - '.github/workflows/shellcheck.yml'

permissions:
  contents: read

jobs:
  shellcheck:
    name: Differential ShellCheck
    runs-on: ubuntu-latest
    
    permissions:
      contents: read
      security-events: write
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v5.0.0
        with:
          fetch-depth: 0
      
      - name: Differential ShellCheck
        uses: redhat-plumbers-in-action/differential-shellcheck@v5.5.5
        with:
          severity: error
          scan-directory: |
            podkop/files/usr/bin/**
            podkop/files/usr/lib/**
          token: ${{ secrets.GITHUB_TOKEN }}