name: AOC Guard CI

on:
  push:
    branches: [ main ]
    paths:
      - 'src/Aoc/**'
      - 'src/Concelier/**'
      - 'src/Authority/**'
      - 'src/Excititor/**'
      - 'ops/devops/aoc/**'
      - '.gitea/workflows/aoc-guard.yml'
  pull_request:
    branches: [ main, develop ]
    paths:
      - 'src/Aoc/**'
      - 'src/Concelier/**'
      - 'src/Authority/**'
      - 'src/Excititor/**'
      - 'ops/devops/aoc/**'
      - '.gitea/workflows/aoc-guard.yml'

jobs:
  aoc-guard:
    runs-on: ubuntu-22.04
    env:
      DOTNET_VERSION: '10.0.100-rc.1.25451.107'
      ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Export OpenSSL 1.1 shim for Mongo2Go
        run: scripts/enable-openssl11-shim.sh

      - name: Set up .NET SDK
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true

      - name: Restore analyzers
        run: dotnet restore src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj

      - name: Build analyzers
        run: dotnet build src/Aoc/__Analyzers/StellaOps.Aoc.Analyzers/StellaOps.Aoc.Analyzers.csproj -c Release

      - name: Run analyzers against ingestion projects
        run: |
          dotnet build src/Concelier/StellaOps.Concelier.Ingestion/StellaOps.Concelier.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
          dotnet build src/Authority/StellaOps.Authority.Ingestion/StellaOps.Authority.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true
          dotnet build src/Excititor/StellaOps.Excititor.Ingestion/StellaOps.Excititor.Ingestion.csproj -c Release /p:RunAnalyzers=true /p:TreatWarningsAsErrors=true

      - name: Run analyzer tests
        run: |
          mkdir -p $ARTIFACT_DIR
          dotnet test src/Aoc/__Tests/StellaOps.Aoc.Analyzers.Tests/StellaOps.Aoc.Analyzers.Tests.csproj -c Release --logger "trx;LogFileName=aoc-tests.trx" --results-directory $ARTIFACT_DIR

      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: aoc-guard-artifacts
          path: ${{ env.ARTIFACT_DIR }}

  aoc-verify:
    needs: aoc-guard
    runs-on: ubuntu-22.04
    if: github.event_name != 'schedule'
    env:
      DOTNET_VERSION: '10.0.100-rc.1.25451.107'
      ARTIFACT_DIR: ${{ github.workspace }}/.artifacts
      AOC_VERIFY_SINCE: ${{ github.event.pull_request.base.sha || 'HEAD~1' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Export OpenSSL 1.1 shim for Mongo2Go
        run: scripts/enable-openssl11-shim.sh

      - name: Set up .NET SDK
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}
          include-prerelease: true

      - name: Run AOC verify
        env:
          STAGING_MONGO_URI: ${{ secrets.STAGING_MONGO_URI || vars.STAGING_MONGO_URI }}
        run: |
          if [ -z "${STAGING_MONGO_URI:-}" ]; then
            echo "::warning::STAGING_MONGO_URI not set; skipping aoc verify"
            exit 0
          fi
          mkdir -p $ARTIFACT_DIR
          dotnet run --project src/Aoc/StellaOps.Aoc.Cli -- verify --since "$AOC_VERIFY_SINCE" --mongo "$STAGING_MONGO_URI" --output "$ARTIFACT_DIR/aoc-verify.json" --ndjson "$ARTIFACT_DIR/aoc-verify.ndjson" || VERIFY_EXIT=$?
          if [ -n "${VERIFY_EXIT:-}" ] && [ "${VERIFY_EXIT}" -ne 0 ]; then
            echo "::error::AOC verify reported violations"; exit ${VERIFY_EXIT}
          fi

      - name: Upload verify artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: aoc-verify-artifacts
          path: ${{ env.ARTIFACT_DIR }}