name: PR Validation

on:
  pull_request:
    branches:
      - main
    types:
      - opened
      - synchronize
      - reopened

permissions:
  contents: read

jobs:
  # Spell checking using cspell
  spell-check:
    name: Spell Check
    uses: ./.github/workflows/spell-check.yml
    permissions:
      contents: read

  # Markdown linting using markdownlint-cli2
  markdown-lint:
    name: Markdown Lint
    uses: ./.github/workflows/markdown-lint.yml
    permissions:
      contents: read

  # Markdown table formatting check
  table-format:
    name: Table Format
    uses: ./.github/workflows/table-format.yml
    permissions:
      contents: read

  # Frontmatter validation for markdown files
  frontmatter-validation:
    name: Frontmatter Validation
    uses: ./.github/workflows/frontmatter-validation.yml
    with:
      changed-files-only: true
    permissions:
      contents: read

  # ms.date Freshness Check
  msdate-freshness:
    name: ms.date Freshness Check
    uses: ./.github/workflows/msdate-freshness-check.yml
    with:
      staleness-threshold-days: 90
      changed-files-only: true
      soft-fail: false
    permissions:
      contents: read

  # PowerShell script analysis
  psscriptanalyzer:
    name: PSScriptAnalyzer
    uses: ./.github/workflows/ps-script-analyzer.yml
    with:
      changed-files-only: true
    permissions:
      contents: read

  # YAML/actionlint workflow linting
  yaml-lint:
    name: YAML Lint
    uses: ./.github/workflows/yaml-lint.yml
    with:
      changed-files-only: true
    permissions:
      contents: read

  # Link language locale check
  link-lang-check:
    name: Link Language Check
    uses: ./.github/workflows/link-lang-check.yml
    permissions:
      contents: read

  # Markdown link validation
  markdown-link-check:
    name: Markdown Link Check
    uses: ./.github/workflows/markdown-link-check.yml
    permissions:
      contents: read

  # Dependency review for security vulnerabilities
  dependency-review:
    name: Dependency Review
    uses: ./.github/workflows/dependency-review.yml
    permissions:
      contents: read
      pull-requests: write

  # SHA pinning compliance for GitHub Actions and dependencies
  dependency-pinning:
    name: Dependency Pinning
    uses: ./.github/workflows/dependency-pinning-scan.yml
    permissions:
      contents: read
      security-events: write  # Required for SARIF upload to Security tab
    with:
      upload-sarif: true
      exclude-paths: 'scripts/tests/Fixtures/**,shared/ci/tests/Fixtures/**'

  # PowerShell Pester test execution
  pester-tests:
    name: Pester Tests
    uses: ./.github/workflows/pester-tests.yml
    with:
      code-coverage: true
      changed-files-only: false
      soft-fail: false
    permissions:
      contents: read
      id-token: write

  # Dataviewer frontend lint, type-check, and unit tests
  dataviewer-frontend-tests:
    name: Dataviewer Frontend Tests
    uses: ./.github/workflows/dataviewer-frontend-tests.yml
    with:
      code-coverage: true
    permissions:
      contents: read
      id-token: write

  # Docusaurus documentation site tests and build verification
  docusaurus-tests:
    name: Docusaurus Tests
    uses: ./.github/workflows/docusaurus-tests.yml
    with:
      soft-fail: false
    permissions:
      contents: read

  # Python pytest test execution
  pytest-tests:
    name: Pytest Tests
    uses: ./.github/workflows/pytest-tests.yml
    with:
      code-coverage: true
    permissions:
      contents: read
      id-token: write

  # Dataviewer backend pytest execution
  dataviewer-backend-pytests:
    name: Dataviewer Backend Pytest
    uses: ./.github/workflows/dataviewer-backend-pytests.yml
    with:
      code-coverage: true
    permissions:
      contents: read
      id-token: write

  # Fuzz regression via deterministic corpus-based tests
  fuzz-regression-tests:
    name: Fuzz Regression Tests
    uses: ./.github/workflows/fuzz-regression-tests.yml
    with:
      code-coverage: true
    permissions:
      contents: read
      id-token: write

  # Python linting using ruff
  python-lint:
    name: Python Lint
    uses: ./.github/workflows/python-lint.yml
    permissions:
      contents: read

  # Terraform linting using TFLint
  terraform-lint:
    name: Terraform Lint
    uses: ./.github/workflows/terraform-lint.yml
    with:
      soft-fail: false
    permissions:
      contents: read

  # Terraform format and validate checks
  terraform-validation:
    name: Terraform Validation
    uses: ./.github/workflows/terraform-validation.yml
    with:
      soft-fail: false
      changed-files-only: true
    permissions:
      contents: read

  # Terraform test execution with Codecov Test Analytics
  terraform-tests:
    name: Terraform Tests
    uses: ./.github/workflows/terraform-tests.yml
    with:
      soft-fail: true
      changed-files-only: true
      code-coverage: true
    permissions:
      contents: read
      id-token: write

  # Go linting using golangci-lint
  go-lint:
    name: Go Lint
    uses: ./.github/workflows/go-lint.yml
    with:
      soft-fail: false
      changed-files-only: true
    permissions:
      contents: read

  # Terraform documentation freshness check
  terraform-docs-check:
    name: Terraform Docs Check
    uses: ./.github/workflows/terraform-docs-check.yml
    with:
      soft-fail: true
      changed-files-only: true
    permissions:
      contents: read

  # Go tests
  go-tests:
    name: Go Tests
    uses: ./.github/workflows/go-tests.yml
    with:
      soft-fail: true
      changed-files-only: true
      code-coverage: true
    permissions:
      contents: read
      id-token: write

  # ShellCheck linting for shell scripts
  shellcheck:
    name: ShellCheck
    uses: ./.github/workflows/shellcheck.yml
    with:
      soft-fail: false
      changed-files-only: true
    permissions:
      contents: read

  # CodeQL security analysis
  codeql-analysis:
    name: CodeQL Analysis
    uses: ./.github/workflows/codeql-analysis.yml
    permissions:
      contents: read
      security-events: write
      actions: read