name: CI

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  lint-commits:
    name: Lint commits
    runs-on: docker
    container:
      image: docker.io/library/ubuntu:24.04
    if: github.event_name == 'pull_request'
    steps:
      - name: Install git + grep
        run: apt-get update && apt-get install -y --no-install-recommends git ca-certificates

      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Validate conventional commits
        run: |
          base="${{ github.event.pull_request.base.sha }}"
          head="${{ github.event.pull_request.head.sha }}"
          pattern='^(feat|fix|docs|style|refactor|perf|test|build|ci|chore|revert)(\(.+\))?(!)?: .{1,}$'

          failed=0
          while IFS= read -r msg; do
            first_line=$(echo "$msg" | head -1)
            if ! echo "$first_line" | grep -qE "$pattern"; then
              echo "FAIL: $first_line"
              failed=1
            fi
          done < <(git log --format="%s" "$base".."$head")

          if [ "$failed" -eq 1 ]; then
            echo ""
            echo "Some commits do not follow Conventional Commits format."
            echo "Expected: <type>[scope][!]: <description>"
            echo "See: https://www.conventionalcommits.org/"
            exit 1
          fi
          echo "All commits follow Conventional Commits format."

  lint-scripts:
    name: Lint shell scripts
    runs-on: docker
    container:
      image: docker.io/library/ubuntu:24.04
    steps:
      - name: Install shellcheck
        run: apt-get update && apt-get install -y --no-install-recommends shellcheck git ca-certificates

      - uses: actions/checkout@v4

      - name: Run ShellCheck
        run: shellcheck scripts/*.sh

  security-check:
    name: Security patterns check
    runs-on: docker
    container:
      image: docker.io/library/ubuntu:24.04
    steps:
      - name: Install grep + git
        run: apt-get update && apt-get install -y --no-install-recommends git grep ca-certificates

      - uses: actions/checkout@v4

      - name: Check for unsafe string interpolation in curl payloads
        run: |
          # Flag inline JSON in double quotes (allows shell interpolation).
          # Safe patterns: curl -d '{}' (single quotes) or curl -d "$var" (pre-built payload).
          if grep -rPn 'curl.*-d\s*"[{]' scripts/*.sh; then
            echo ""
            echo "ERROR: Found curl -d with inline JSON in double quotes."
            echo "Use jq --arg to build JSON safely and pass via variable."
            exit 1
          fi
          echo "No unsafe curl patterns found."