name: Policy Simulation

on:
  pull_request:
    paths:
      - 'docs/policy/**'
      - 'docs/examples/policies/**'
      - 'scripts/policy/**'
      - '.gitea/workflows/policy-simulate.yml'
  push:
    branches: [ main ]
    paths:
      - 'docs/policy/**'
      - 'docs/examples/policies/**'
      - 'scripts/policy/**'
      - '.gitea/workflows/policy-simulate.yml'

jobs:
  policy-simulate:
    runs-on: ubuntu-22.04
    env:
      DOTNET_NOLOGO: 1
      DOTNET_CLI_TELEMETRY_OPTOUT: 1
      DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1
      TZ: UTC
      THRESHOLD: 0
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh
        with:
          fetch-depth: 0

      - name: Setup .NET 10 RC
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: 10.0.100
          include-prerelease: true

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.4.0

      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: |
            ~/.nuget/packages
            local-nugets/packages
          key: policy-sim-nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}

      - name: Restore CLI
        run: |
          dotnet restore src/Cli/StellaOps.Cli/StellaOps.Cli.csproj --configfile nuget.config

      - name: Generate policy signing key (ephemeral)
        run: |
          OUT_DIR=out/policy-sign/keys PREFIX=ci-policy COSIGN_PASSWORD= scripts/policy/rotate-key.sh

      - name: Sign sample policy blob
        run: |
          export COSIGN_KEY_B64=$(base64 -w0 out/policy-sign/keys/ci-policy-cosign.key)
          COSIGN_PASSWORD= \
            scripts/policy/sign-policy.sh --file docs/examples/policies/baseline.stella --out-dir out/policy-sign

      - name: Attest and verify sample policy blob
        run: |
          export COSIGN_KEY_B64=$(base64 -w0 out/policy-sign/keys/ci-policy-cosign.key)
          COSIGN_PASSWORD= \
            scripts/policy/attest-verify.sh --file docs/examples/policies/baseline.stella --out-dir out/policy-sign

      - name: Run batch policy simulation
        run: |
          scripts/policy/batch-simulate.sh

      - name: Upload simulation artifacts
        uses: actions/upload-artifact@v4
        with:
          name: policy-simulation
          path: out/policy-sim
          retention-days: 7

      - name: Upload signing artifacts
        uses: actions/upload-artifact@v4
        with:
          name: policy-signing
          path: out/policy-sign
          retention-days: 7