name: CI

on:
  push:
    branches: [master, main]
  pull_request:
    branches: [master, main]

permissions:
  contents: read
  security-events: write

jobs:
  test:
    name: Test
    strategy:
      matrix:
        go-version: ['1.24']
        os: [ubuntu-latest, windows-latest, macos-latest]
    runs-on: ${{ matrix.os }}
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 2
          
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ matrix.go-version }}
          cache: true
          
      - name: Download dependencies
        run: go mod download
        
      - name: Verify dependencies
        run: go mod verify
        
      - name: Set up Git (for tests)
        run: |
          git config --global user.email "test@example.com"
          git config --global user.name "CI Test"
          
      - name: Run tests with coverage
        run: go test -race -coverprofile coverage.out -covermode=atomic ./...
        
      - name: Upload coverage to Codecov
        if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.24'
        uses: codecov/codecov-action@v4
        with:
          file: ./coverage.out
          flags: unittests
          name: codecov-umbrella
          fail_ci_if_error: false

  lint:
    name: Lint
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.24'
          cache: true
          
      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@v6

        # TODO: Fix linting errors
        continue-on-error: true
        with:
          version: latest
          args: --timeout=5m

  security:
    name: Security
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.24'
          cache: true
          
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

  build:
    name: Build
    needs: [test, lint, security]
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.24'
          cache: true
          
      - name: Build binaries
        run: |
          go build -v -o bin/git-get ./cmd/get
          go build -v -o bin/git-list ./cmd/list
          
      - name: Test binaries
        run: |
          ./bin/git-get --version
          ./bin/git-list --version
          
      - name: Upload build artifacts
        uses: actions/upload-artifact@v4
        with:
          name: binaries
          path: bin/
          retention-days: 30