name: CI

on:
  pull_request:
  push:
    branches:
      - main
      - master

env:
  CARGO_TERM_COLOR: always
  RUST_MIN_STACK: 16777216

jobs:
  rust-blocking:
    name: Rust Blocking Checks
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Rust
        uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt, clippy

      - name: Rustfmt
        run: cargo fmt --all -- --check

      - name: Clippy
        run: cargo clippy --workspace --all-targets --all-features -- -D warnings

      - name: Tests
        run: cargo test --workspace --all-features

      - name: Install Rust security tooling
        run: cargo install --locked cargo-audit cargo-deny

      - name: Cargo Audit
        run: cargo audit

      - name: Cargo Deny
        run: cargo deny check

  web-blocking:
    name: Web Blocking Checks
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: web
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "22"
          cache: "npm"
          cache-dependency-path: web/package-lock.json

      - name: Install dependencies
        run: npm ci

      - name: ESLint
        run: npm run lint

      - name: TypeScript
        run: npm run typecheck

      - name: Build
        run: npm run build

  security-blocking:
    name: Security Blocking Checks
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Gitleaks
        run: |
          mkdir -p "$HOME/bin"
          GITLEAKS_VERSION="8.24.2"
          ARCH="$(uname -m)"
          case "$ARCH" in
            x86_64) ARCH="x64" ;;
            aarch64|arm64) ARCH="arm64" ;;
            *)
              echo "Unsupported architecture: $ARCH"
              exit 1
              ;;
          esac
          curl -sSfL \
            -o /tmp/gitleaks.tar.gz \
            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${ARCH}.tar.gz"
          tar -xzf /tmp/gitleaks.tar.gz -C "$HOME/bin" gitleaks
          chmod +x "$HOME/bin/gitleaks"

      - name: Gitleaks
        run: |
          "$HOME/bin/gitleaks" git \
            --report-format sarif \
            --report-path gitleaks.sarif \
            --config .gitleaks.toml

  web-advisory:
    name: Web Advisory Checks
    runs-on: ubuntu-latest
    continue-on-error: true
    defaults:
      run:
        working-directory: web
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "22"
          cache: "npm"
          cache-dependency-path: web/package-lock.json

      - name: Install dependencies
        run: npm ci

      - name: Knip
        run: npm run knip
        continue-on-error: true

      - name: NPM Audit (prod deps)
        run: npm audit --omit=dev
        continue-on-error: true

  security-advisory:
    name: Security Advisory Checks
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install Semgrep
        run: pip install semgrep

      - name: Semgrep
        run: semgrep scan --config p/default --error
        continue-on-error: true