# NIP Package Manager CI
name: NIP CI

on:
  push:
    branches: [unstable, main, stable, testing]
  pull_request:
    branches: [unstable, main]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Verify toolchain
        run: nim --version | head -1

      - name: Build (release)
        run: nim c -d:release --opt:speed --hints:off -o:nip nip.nim

      - name: Verify binary
        run: |
          ls -lh nip
          file nip

  test:
    name: Test Suite
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build for testing
        run: nim c -d:release -o:nip nip.nim

      - name: Run test suite
        run: |
          if [ -f tests/run_all_tests.sh ]; then
            chmod +x tests/run_all_tests.sh
            ./tests/run_all_tests.sh
          elif [ -f tests/all_tests.nim ]; then
            nim c -r tests/all_tests.nim
          else
            echo "No test runner found, running individual tests..."
            for t in tests/test_*.nim; do
              echo "=== Running $t ==="
              nim c -r "$t" || true
            done
          fi

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check for sensitive content
        run: |
          FAIL=0
          if find . -path './.agent' -o -path './.vscode' -o -path './.kiro' | grep -q .; then
            echo "FAIL: Sensitive directories found"
            FAIL=1
          fi
          if git grep -l '/home/markus' -- ':!.git' 2>/dev/null | grep -q .; then
            echo "FAIL: Internal paths found"
            git grep -l '/home/markus' -- ':!.git'
            FAIL=1
          fi
          if [ $FAIL -eq 1 ]; then exit 1; fi
          echo "Security scan PASSED"