name: Push Validation

on:
  push:
    branches:
      - "**"
    tags-ignore:
      - "*"

jobs:
  validate:
    runs-on: ubuntu-latest
    container: docker.io/catthehacker/ubuntu:act-latest
    defaults:
      run:
        shell: bash
    env:
      ARTEFACT_BUCKET_NAME: ${{ vars.ARTEFACT_BUCKET_NAME }}
      ARTEFACT_BUCKET_ENDPONT: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
      ARTEFACT_BUCKET_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_ACCESS_KEY_ID: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_KEY }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
      AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_EC2_METADATA_DISABLED: true
      SUMMARY_FILE: ${{ runner.temp }}/summary.md
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.26.1'
          check-latest: true
          cache: true
          cache-dependency-path: go.sum

      - name: Verify module hygiene
        run: |
          set -euo pipefail
          go mod tidy
          git diff --exit-code go.mod go.sum
          go mod verify

      - name: Install security tools
        run: |
          set -euo pipefail
          go install github.com/securego/gosec/v2/cmd/gosec@v2.22.3
          go install golang.org/x/vuln/cmd/govulncheck@v1.1.4

      - name: Install AWS CLI v2
        uses: ankurk91/install-aws-cli-action@v1

      - name: Verify AWS CLI
        run: aws --version

      - name: Run full unit test suite with coverage
        id: coverage
        run: |
          set -euo pipefail

          go test -covermode=atomic -coverprofile=coverage.out ./... | tee go-test-coverage.log
          go tool cover -html=coverage.out -o coverage.html

          total="$(go tool cover -func=coverage.out | awk '/^total:/ {sub(/%/, "", $3); print $3}')"
          printf '{\n  "total": "%s"\n}\n' "$total" > coverage-summary.json
          printf 'total=%s\n' "$total" >> "$GITHUB_OUTPUT"

          set +e
          awk '
            /^ok[[:space:]]/ && /coverage: [0-9.]+% of statements/ {
              pkg = $2
              cov = $0
              sub(/^.*coverage: /, "", cov)
              sub(/% of statements.*$/, "", cov)
              status = "target"
              if (cov + 0 < 50) {
                status = "fail"
                fail = 1
              } else if (cov + 0 < 65) {
                status = "high-risk"
              } else if (cov + 0 < 80) {
                status = "warning"
              }
              printf "%s %.1f %s\n", pkg, cov + 0, status
            }
            END {
              if (fail) {
                exit 2
              }
            }
          ' go-test-coverage.log > coverage-packages.raw
          package_gate_status=$?
          set -e

          {
            echo '| Package | Coverage | Status |'
            echo '| --- | ---: | --- |'
          } > coverage-packages.md

          while read -r pkg cov status; do
            case "$status" in
              fail)
                pretty='FAIL (<50%)'
                ;;
              high-risk)
                pretty='High risk (50%-64.99%)'
                ;;
              warning)
                pretty='Warning (65%-79.99%)'
                ;;
              *)
                pretty='Target (>=80%)'
                ;;
            esac
            printf '| `%s` | %.1f%% | %s |\n' "$pkg" "$cov" "$pretty" >> coverage-packages.md
          done < coverage-packages.raw

          if [[ "$package_gate_status" -ne 0 ]]; then
            echo "Per-package coverage gate failed: one or more packages are below 50%." >&2
            exit 1
          fi

      - name: Run security analysis
        run: |
          set -euo pipefail
          "$(go env GOPATH)/bin/gosec" ./...
          "$(go env GOPATH)/bin/govulncheck" ./...

      - name: Generate coverage badge
        env:
          COVERAGE_TOTAL: ${{ steps.coverage.outputs.total }}
        run: |
          set -euo pipefail

          color="$(awk -v total="$COVERAGE_TOTAL" 'BEGIN {
            if (total >= 80) print "brightgreen";
            else if (total >= 70) print "green";
            else if (total >= 60) print "yellowgreen";
            else if (total >= 50) print "yellow";
            else print "red";
          }')"

          cat > coverage-badge.svg <<EOF
          <svg xmlns="http://www.w3.org/2000/svg" width="126" height="20" role="img" aria-label="coverage: ${COVERAGE_TOTAL}%">
            <linearGradient id="smooth" x2="0" y2="100%">
              <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
              <stop offset="1" stop-opacity=".1"/>
            </linearGradient>
            <clipPath id="round">
              <rect width="126" height="20" rx="3" fill="#fff"/>
            </clipPath>
            <g clip-path="url(#round)">
              <rect width="63" height="20" fill="#555"/>
              <rect x="63" width="63" height="20" fill="${color}"/>
              <rect width="126" height="20" fill="url(#smooth)"/>
            </g>
            <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" font-size="11">
              <text x="32.5" y="15" fill="#010101" fill-opacity=".3">coverage</text>
              <text x="32.5" y="14">coverage</text>
              <text x="93.5" y="15" fill="#010101" fill-opacity=".3">${COVERAGE_TOTAL}%</text>
              <text x="93.5" y="14">${COVERAGE_TOTAL}%</text>
            </g>
          </svg>
          EOF

      - name: Upload branch coverage artefacts
        id: upload
        run: |
          set -euo pipefail

          aws configure set default.s3.addressing_style path

          repo_name="${GITHUB_REPOSITORY##*/}"
          prefix="${repo_name}/branch/${GITHUB_REF_NAME}"
          report_url="${ARTEFACT_BUCKET_ENDPONT%/}/${ARTEFACT_BUCKET_NAME}/${prefix}/coverage.html"
          badge_url="${ARTEFACT_BUCKET_ENDPONT%/}/${ARTEFACT_BUCKET_NAME}/${prefix}/coverage-badge.svg"

          aws --endpoint-url "${ARTEFACT_BUCKET_ENDPONT}" s3 cp coverage.html "s3://${ARTEFACT_BUCKET_NAME}/${prefix}/coverage.html" --content-type text/html
          aws --endpoint-url "${ARTEFACT_BUCKET_ENDPONT}" s3 cp coverage-badge.svg "s3://${ARTEFACT_BUCKET_NAME}/${prefix}/coverage-badge.svg" --content-type image/svg+xml
          aws --endpoint-url "${ARTEFACT_BUCKET_ENDPONT}" s3 cp coverage-summary.json "s3://${ARTEFACT_BUCKET_NAME}/${prefix}/coverage-summary.json" --content-type application/json

          printf 'report_url=%s\n' "$report_url" >> "$GITHUB_OUTPUT"
          printf 'badge_url=%s\n' "$badge_url" >> "$GITHUB_OUTPUT"

      - name: Add coverage summary
        run: |
          {
            echo '## Coverage'
            echo
            echo '- Total: `${{ steps.coverage.outputs.total }}%`'
            echo '- Report: ${{ steps.upload.outputs.report_url }}'
            echo '- Badge: ${{ steps.upload.outputs.badge_url }}'
            echo
            echo '### Package Coverage'
            cat coverage-packages.md
          } >> "$SUMMARY_FILE"

      - name: Run behavior suite on main pushes
        if: ${{ github.ref == 'refs/heads/main' }}
        run: ./script/run-behavior-suite-docker.sh

      - name: Summary
        if: ${{ always() }}
        run: |
          if [[ -f "$SUMMARY_FILE" ]]; then
            cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
          fi