# NIP Package Manager CI
name: NIP CI

on:
  push:
    branches: [unstable, main, stable, testing]
  pull_request:
    branches: [unstable, main]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Verify toolchain
        run: nim --version | head -1

      - name: Install dependencies
        run: |
          nimble refresh 2>/dev/null || true
          nimble install -y xxhash 2>/dev/null || echo "WARN: xxhash install failed"

      - name: Build (release)
        run: nim c -d:release --opt:speed --hints:off -o:nip nip.nim

      - name: Verify binary
        run: |
          ls -lh nip
          file nip

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check for sensitive content
        run: |
          FAIL=0
          for dir in .agent .vscode .kiro competitors; do
            if [ -d "$dir" ]; then
              echo "FAIL: Sensitive directory '$dir' found"
              FAIL=1
            fi
          done
          MATCHES=$(git grep -l '/home/markus' -- ':!.forgejo/' 2>/dev/null || true)
          if [ -n "$MATCHES" ]; then
            echo "FAIL: Internal paths found in:"
            echo "$MATCHES"
            FAIL=1
          fi
          if [ $FAIL -eq 1 ]; then exit 1; fi
          echo "Security scan PASSED"