name: CI

on:
  push:
    branches: [ main, master ]
  pull_request:
    branches: [ main, master ]

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        go-version: [1.23.x]

    steps:
    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.go-version }}

    - name: Cache Go modules
      uses: actions/cache@v4
      with:
        path: |
          ~/.cache/go-build
          ~/go/pkg/mod
        key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-go-${{ matrix.go-version }}-

    - name: Download dependencies
      run: go mod download

    - name: Build
      run: go build -v ./...

    - name: Test with coverage and enforce threshold
      run: |
        go test -v -race -coverprofile=coverage.out -covermode=atomic ./... 2>&1
        go test -cover ./... 2>&1 | awk '/^ok/ {split($NF,a,"%"); if (a[1]+0 < 80) {print "Coverage " a[1] "% is below 80% threshold"; exit 1} else print "Coverage " a[1] "% meets 80% threshold"}'

    - name: Upload coverage report
      uses: codecov/codecov-action@v4
      with:
        files: ./coverage.out
        flags: unittests
        name: codecov-pop

    - name: Lint
      run: |
        go vet ./...
        test -z $(gofmt -l .)

  security-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v5
      with:
        go-version: 1.23.x

    - name: Run GoSec
      uses: securego/gosec@v2
      with:
        args: ./...