name: ci-tier1

on:
  push:
    branches: [dev, stage, main]
  pull_request:
    branches: [dev, stage, main]

jobs:
  lint:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.10"
      - run: pip install -e ".[dev]"
      - run: ruff check src tests
      - run: mypy src

  unit:
    runs-on: ubuntu-22.04
    needs: lint
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.10"
      - run: pip install -e ".[dev]"
      - name: pytest unit (per-component coverage gate)
        run: pytest -q --cov=gps_denied_onboard --cov-fail-under=75 tests/unit

  integration:
    runs-on: ubuntu-22.04
    needs: unit
    steps:
      - uses: actions/checkout@v4
      - name: docker compose up
        run: docker compose -f docker-compose.test.yml up --abort-on-container-exit --exit-code-from e2e-runner --build

  build:
    name: build-${{ matrix.kind }}
    runs-on: ubuntu-22.04
    needs: lint
    strategy:
      fail-fast: false
      matrix:
        kind: [deployment, research]
        include:
          - kind: deployment
            cmake_flags: "-DBUILD_VINS_MONO=OFF -DBUILD_VPR_SALAD=OFF -DBUILD_C11_TILE_MANAGER=OFF"
          - kind: research
            cmake_flags: "-DBUILD_VINS_MONO=ON -DBUILD_VPR_SALAD=ON"
    steps:
      - uses: actions/checkout@v4
      - run: cmake -S . -B build ${{ matrix.cmake_flags }}
      - run: cmake --build build --parallel

  sbom-diff:
    runs-on: ubuntu-22.04
    needs: build
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.10"
      - name: SBOM diff (ADR-002 enforcement)
        run: python ci/sbom_diff.py --deployment build-deployment-sbom.json --research build-research-sbom.json

  security:
    runs-on: ubuntu-22.04
    needs: build
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.10"
      - run: pip install pip-audit
      - run: pip-audit -r pyproject.toml || true
      - name: OpenCV pin gate (D-CROSS-CVE-1)
        run: python ci/opencv_pin_gate.py --pyproject pyproject.toml

  push-images:
    runs-on: ubuntu-22.04
    if: github.event_name == 'push' && contains(fromJson('["refs/heads/dev","refs/heads/stage","refs/heads/main"]'), github.ref)
    needs: [unit, integration, build, sbom-diff, security]
    steps:
      - uses: actions/checkout@v4
      - run: echo "push images to GHCR (deployment + research) — wiring lands per release task"