name: Check semver
on:
  pull_request:
  merge_group:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  semver:
    name: Check semver
    runs-on: ubuntu-24.04
    timeout-minutes: 20
    defaults:
      run:
        shell: bash
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          fetch-depth: 1
          fetch-tags: true
          sparse-checkout: min_version.txt
          sparse-checkout-cone-mode: false

      - name: Get latest tag
        id: tag
        run: |
          TAG=$(git tag --sort=-version:refname | head -n 1)
          if [ -z "$TAG" ]; then
            echo "::error::No tags found; cannot determine semver baseline"
            exit 1
          fi
          echo "ref=$TAG" >> "$GITHUB_OUTPUT"

      - uses: mozilla/actions/nss@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7
        with:
          version-file: min_version.txt
          token: ${{ secrets.GITHUB_TOKEN }}

      - uses: mozilla/actions/semver@2e46408d5c495e59a21e5e125e82008fad0d9408 # v1.1.7
        with:
          base-ref: ${{ steps.tag.outputs.ref }}