---
name: CI/CD Pipeline
on:
  push:
    branches: [master, build-test]
  pull_request:
  release:
    types: [published]
  workflow_dispatch:
jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        architecture: [amd64, arm64]
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: '1.24'
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y git
      - name: Build go-away
        run: |
          mkdir .bin
          go build -v -pgo=auto -v -trimpath -ldflags='-buildid= -bindnow' -buildmode pie -o ./.bin/go-away ./cmd/go-away
          go build -v -trimpath -ldflags='-buildid= -bindnow' -buildmode pie -o ./.bin/test-wasm-runtime ./cmd/test-wasm-runtime
      - name: Check policy for Forgejo
        run: |
          ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/forgejo.yml --policy-snippets examples/snippets/
      - name: Check policy for Generic
        run: |
          ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/generic.yml --policy-snippets examples/snippets/
      - name: Check policy for SPA
        run: |
          ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/spa.yml --policy-snippets examples/snippets/
      - name: Test WASM Runtime Success
        run: |
          ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out ./embed/challenge/js-pow-sha256/test/make-challenge-out.json -verify-challenge ./embed/challenge/js-pow-sha256/test/verify-challenge.json -verify-challenge-out 0
      - name: Test WASM Runtime Fail
        run: |
          ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out ./embed/challenge/js-pow-sha256/test/make-challenge-out.json -verify-challenge ./embed/challenge/js-pow-sha256/test/verify-challenge-fail.json -verify-challenge-out 1
  publish:
    runs-on: ubuntu-latest
    needs: build
    if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Git Forge registry
        uses: docker/login-action@v3
        with:
          registry: git.projectsegfau.lt
          username: ${{ secrets.GIT_USERNAME }}
          password: ${{ secrets.GIT_TOKEN }}
      - name: Build and push Docker images
        env:
          SOURCE_DATE_EPOCH: 0
          TZ: UTC
        run: |-
          docker buildx build \
            --platform linux/amd64,linux/arm64,linux/riscv64 \
            --tag git.projectsegfau.lt/${{ secrets.GIT_USERNAME }}/go-away:latest \
            --push \
            .