name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  test-go:
    name: Go Tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with:
          go-version: '1.22'

      - name: Test cloud-init
        run: cd cloud-init && go test ./... -v -count=1

      - name: Test update agent
        run: cd update && go test ./... -v -count=1

      - name: Vet cloud-init
        run: cd cloud-init && go vet ./...

      - name: Vet update agent
        run: cd update && go vet ./...

  build-binaries:
    name: Build Go Binaries
    runs-on: ubuntu-latest
    needs: test-go
    strategy:
      matrix:
        include:
          - goos: linux
            goarch: amd64
            suffix: linux-amd64
          - goos: linux
            goarch: arm64
            suffix: linux-arm64
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with:
          go-version: '1.22'

      - name: Build cloud-init (${{ matrix.suffix }})
        run: |
          CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} \
            go build -ldflags='-s -w' -o kubesolo-cloudinit-${{ matrix.suffix }} ./cmd/
        working-directory: cloud-init

      - name: Build update agent (${{ matrix.suffix }})
        run: |
          CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} \
            go build -ldflags='-s -w' -o kubesolo-update-${{ matrix.suffix }} .
        working-directory: update

      - name: Upload binaries
        # @v4 not yet fully supported by Gitea Actions runner; @v3 works.
        uses: actions/upload-artifact@v3
        with:
          name: binaries-${{ matrix.suffix }}
          path: |
            cloud-init/kubesolo-cloudinit-${{ matrix.suffix }}
            update/kubesolo-update-${{ matrix.suffix }}

  shellcheck:
    name: Shellcheck
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install shellcheck
        run: sudo apt-get update && sudo apt-get install -y shellcheck

      # --severity=error filters out style/info/warning findings. Several of
      # those are unavoidable in init-style scripts that source other files
      # dynamically (SC1090/SC1091/SC2034). Exclude them explicitly so they
      # don't fire even at warning level if we lift severity later.
      # Codes excluded:
      #   SC1090 — non-constant source path (we source by stage name)
      #   SC1091 — source target not specified as input (we reference relative paths)
      #   SC2034 — var "unused" (false positive: used via sourced scripts)
      #   SC2002 — useless cat (style only, very common pattern in our scripts)
      #   SC2015 — A && B || C (deliberate idiom)
      #   SC2012 — use find not ls (style only)
      #   SC2013 — read words not lines (style only, applies to /proc parsing)

      - name: Lint init scripts (POSIX sh)
        run: |
          shellcheck -s sh --severity=error \
            -e SC1090,SC1091,SC2034,SC2002,SC2015,SC2012,SC2013 \
            init/init.sh init/lib/*.sh init/emergency-shell.sh

      - name: Lint build scripts (bash)
        run: |
          shellcheck -s bash --severity=error \
            -e SC1090,SC1091,SC2034,SC2002,SC2015,SC2012,SC2013 \
            build/scripts/*.sh build/config/kernel-audit.sh

      - name: Lint test scripts (bash)
        run: |
          shellcheck -s bash --severity=error \
            -e SC1090,SC1091,SC2034,SC2002,SC2015,SC2012,SC2013 \
            test/qemu/*.sh test/integration/*.sh test/kernel/*.sh

      - name: Lint hack scripts (bash)
        run: |
          shellcheck -s bash --severity=error \
            -e SC1090,SC1091,SC2034,SC2002,SC2015,SC2012,SC2013 \
            hack/*.sh