name: Rumpk CI

on:
  push:
    branches: [unstable, main]
  pull_request:
    branches: [unstable, main]

jobs:
  build-riscv:
    runs-on: ubuntu-latest
    container:
      image: nexus-os/build-env:latest
      options: --privileged
    steps:
      - uses: actions/checkout@v4
      
      - name: Build RISC-V kernel
        run: |
          echo "Building for RISC-V..."
          zig build -Darch=riscv64 -Drelease
      
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: rumpk-riscv64
          path: zig-out/rumpk-riscv64.elf
          retention-days: 7

  build-aarch64:
    runs-on: ubuntu-latest
    container:
      image: nexus-os/build-env:latest
      options: --privileged
    steps:
      - uses: actions/checkout@v4
      
      - name: Build ARM64 kernel
        run: |
          echo "Building for ARM64..."
          zig build -Darch=aarch64 -Drelease
      
      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: rumpk-aarch64
          path: zig-out/rumpk-aarch64.elf
          retention-days: 7

  security-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      
      - name: Sensitive content scan
        run: |
          echo "🔍 Scanning for sensitive content..."
          
          # Check for forbidden directories
          if git log --all --name-only | grep -qE '\.agent/|\.vscode/|\.claude/|\.kiro/'; then
            echo "❌ CRITICAL: Forbidden directory found in git history"
            exit 1
          fi
          
          # Check for internal paths
          if git log --all -p | grep -qE '/home/markus/zWork/|/home/markus/\.claude/'; then
            echo "❌ CRITICAL: Internal path found in git history"
            exit 1
          fi
          
          echo "✅ No sensitive content detected"
      
      - name: License header check
        run: |
          echo "Checking license headers..."
          # TODO: Implement license header checker
          echo "ℹ️ License check pending"

  test-qemu:
    needs: [build-riscv]
    runs-on: ubuntu-latest
    container:
      image: nexus-os/build-env:latest
      options: --privileged
    steps:
      - uses: actions/checkout@v4
      
      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: rumpk-riscv64
          path: zig-out/
      
      - name: QEMU boot test
        timeout-minutes: 5
        run: |
          echo "🚀 Booting RISC-V kernel in QEMU..."
          timeout 10s qemu-system-riscv64 \
            -machine virt \
            -cpu rv64 \
            -smp 2 \
            -m 128M \
            -kernel zig-out/rumpk-riscv64.elf \
            -serial stdio \
            -display none \
            -bios none || echo "Boot test completed"

  reproducibility-check:
    runs-on: ubuntu-latest
    container:
      image: nexus-os/build-env:latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Build twice and compare
        run: |
          echo "🔧 Building first time..."
          zig build -Drelease
          cp zig-out/rumpk-riscv64.elf /tmp/build1.elf
          
          echo "🔧 Building second time..."
          zig build -Drelease
          
          echo "📊 Comparing builds..."
          if diff /tmp/build1.elf zig-out/rumpk-riscv64.elf; then
            echo "✅ Reproducible build verified"
          else
            echo "⚠️ Build not reproducible (timestamps embedded)"
          fi