name: Pull Request Validation

on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened

jobs:
  validate:
    runs-on: ubuntu-latest
    container: docker.io/catthehacker/ubuntu:act-latest
    defaults:
      run:
        shell: bash
    env:
      ARTEFACT_BUCKET_NAME: ${{ vars.ARTEFACT_BUCKET_NAME }}
      ARTEFACT_BUCKET_ENDPONT: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
      ARTEFACT_BUCKET_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_ACCESS_KEY_ID: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_KEY }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
      AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_EC2_METADATA_DISABLED: true
      GOTOOLCHAIN: auto
      SUMMARY_FILE: ${{ runner.temp }}/summary.md
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.26.1'
          check-latest: true
          cache: true
          cache-dependency-path: go.sum

      - name: Cache Go modules and build cache
        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
            ~/.cache/go-build
            ~/go/bin
          key: ${{ runner.os }}-go-cache-${{ hashFiles('**/go.mod', '**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-cache-

      - name: Verify module hygiene
        run: |
          set -euo pipefail
          go mod tidy
          git diff --exit-code go.mod go.sum
          go mod verify

      - name: Prepare test runtime
        run: |
          set -euo pipefail
          apt-get update
          apt-get install -y ruby
          git config --global user.name "gitea-actions[bot]"
          git config --global user.email "gitea-actions[bot]@users.noreply.local"

      - name: Run full unit test suite with coverage
        id: coverage
        run: |
          set -euo pipefail

          go test -covermode=atomic -coverprofile=coverage.out ./... | tee go-test-coverage.log

          set +e
          awk '
            /^ok[[:space:]]/ && /coverage: [0-9.]+% of statements/ {
              pkg = $2
              cov = $0
              sub(/^.*coverage: /, "", cov)
              sub(/% of statements.*$/, "", cov)
              status = "target"
              if (cov + 0 < 50) {
                status = "fail"
                fail = 1
              } else if (cov + 0 < 65) {
                status = "high-risk"
              } else if (cov + 0 < 80) {
                status = "warning"
              }
              printf "%s %.1f %s\n", pkg, cov + 0, status
            }
            END {
              if (fail) {
                exit 2
              }
            }
          ' go-test-coverage.log > coverage-packages.raw
          package_gate_status=$?
          set -e

          {
            echo '| Package | Coverage | Status |'
            echo '| --- | ---: | --- |'
          } > coverage-packages.md

          while read -r pkg cov status; do
            case "$status" in
              fail)
                pretty='FAIL (<50%)'
                ;;
              high-risk)
                pretty='High risk (50%-64.99%)'
                ;;
              warning)
                pretty='Warning (65%-79.99%)'
                ;;
              *)
                pretty='Target (>=80%)'
                ;;
            esac
            printf '| `%s` | %.1f%% | %s |\n' "$pkg" "$cov" "$pretty" >> coverage-packages.md
          done < coverage-packages.raw

          if [[ "$package_gate_status" -ne 0 ]]; then
            echo "Per-package coverage gate failed: one or more packages are below 50%." >&2
            exit 1
          fi

      - name: Check code formatting
        run: |
          set -euo pipefail
          fmt_output=$(go fmt ./...)
          if [[ -n "$fmt_output" ]]; then
            echo "Code formatting check failed. The following files need formatting:" >&2
            echo "$fmt_output" >&2
            exit 1
          fi

      - name: Run Gosec Security Scanner
        run: |
          set -euo pipefail
          go install github.com/securego/gosec/v2/cmd/gosec@latest
          gosec ./...

      - name: Run Go Vulnerability Check
        uses: golang/govulncheck-action@v1.0.4
        with:
          go-package: ./...
          cache: true
          cache-dependency-path: go.sum

      - name: Upload coverage badge
        id: badge
        if: ${{ always() && hashFiles('coverage.out') != '' }}
        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
        with:
          artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
          artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}

      - name: Decorate PR
        if: ${{ always() }}
        uses: https://git.hrafn.xyz/aether/vociferate/decorate-pr@v1.1.0
        with:
          coverage-percentage: ${{ steps.badge.outputs.total }}
          badge-url: ${{ steps.badge.outputs.badge-url }}
          enable-changelog-gate: 'true'
          changelog-gate-mode: strict

      - name: Add coverage summary
        run: |
          {
            echo '## Coverage'
            echo
            echo '- Total: `${{ steps.badge.outputs.total }}%`'
            echo '- Report: ${{ steps.badge.outputs.report-url }}'
            echo '- Badge: ${{ steps.badge.outputs.badge-url }}'
            echo
            echo '### Package Coverage'
            cat coverage-packages.md
          } >> "$SUMMARY_FILE"

      - name: Run behavior suite
        run: ./script/run-behavior-suite-docker.sh

      - name: Summary
        if: ${{ always() }}
        run: |
          if [[ -f "$SUMMARY_FILE" ]]; then
            cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
          fi