name: Build and test

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          cache: true

      - name: Download dependencies
        run: go mod download

      - name: Build
        run: make build-ci

  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          cache: true

      - name: Download dependencies
        run: go mod download

      - name: Lint
        uses: golangci/golangci-lint-action@v6
        with:
          install-mode: goinstall
          version: v1.64.8

  test-linux:
    name: Test (Linux)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          cache: true

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Download dependencies
        run: go mod download

      - name: Install Linux sandbox dependencies
        run: |
          sudo apt-get update
          sudo apt-get install -y \
            bubblewrap \
            socat \
            uidmap \
            curl \
            netcat-openbsd \
            ripgrep
          # Configure subuid/subgid for the runner user (required for unprivileged user namespaces)
          echo "$(whoami):100000:65536" | sudo tee -a /etc/subuid
          echo "$(whoami):100000:65536" | sudo tee -a /etc/subgid
          # Make bwrap setuid so it can create namespaces as non-root user
          sudo chmod u+s $(which bwrap)

      - name: Verify sandbox dependencies
        run: |
          echo "=== Checking sandbox dependencies ==="
          bwrap --version
          socat -V | head -1
          echo "User namespaces enabled: $(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null || echo 'check not available')"
          echo "Kernel version: $(uname -r)"
          echo "uidmap installed: $(which newuidmap 2>/dev/null && echo yes || echo no)"
          echo "subuid configured: $(grep $(whoami) /etc/subuid 2>/dev/null || echo 'not configured')"
          echo "bwrap setuid: $(ls -la $(which bwrap) | grep -q '^-rws' && echo yes || echo no)"
          echo "=== Testing bwrap basic functionality ==="
          bwrap --ro-bind / / -- /bin/echo "bwrap works!"
          echo "=== Testing bwrap with user namespace ==="
          bwrap --ro-bind / / --unshare-user --uid 0 --gid 0 -- /bin/echo "bwrap user namespace works!"

      - name: Run unit and integration tests
        run: make test-ci

      - name: Build binary for smoke tests
        run: make build-ci

      - name: Run smoke tests
        run: GREYWALL_TEST_NETWORK=1 ./scripts/smoke_test.sh ./greywall