name: Secrets v3 CI

on:
  push:
    paths:
      - 'crates/**'
      - 'Cargo.toml'
      - 'Cargo.lock'
      - 'deploy/**'
      - '.gitea/workflows/**'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: write

env:
  RUST_TOOLCHAIN: 1.94.0
  CARGO_INCREMENTAL: 0
  CARGO_NET_RETRY: 10
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: short
  MUSL_TARGET: x86_64-unknown-linux-musl

jobs:
  ci:
    name: 检查
    runs-on: debian
    timeout-minutes: 40
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      # ── Rust 工具链 ──────────────────────────────────────────────────────
      - name: 安装 Rust 与 musl 工具链
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq pkg-config musl-tools binutils jq
          if ! command -v rustup >/dev/null 2>&1; then
            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "${RUST_TOOLCHAIN}"
            echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
          fi
          source "$HOME/.cargo/env" 2>/dev/null || true
          rustup toolchain install "${RUST_TOOLCHAIN}" --profile minimal \
            --component rustfmt --component clippy
          rustup default "${RUST_TOOLCHAIN}"
          rustup target add "${MUSL_TARGET}" --toolchain "${RUST_TOOLCHAIN}"
          rustc -V && cargo -V

      - name: 缓存 Cargo
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry/index
            ~/.cargo/registry/cache
            ~/.cargo/git/db
            target
          key: cargo-${{ env.MUSL_TARGET }}-${{ env.RUST_TOOLCHAIN }}-${{ hashFiles('Cargo.lock') }}
          restore-keys: |
            cargo-${{ env.MUSL_TARGET }}-${{ env.RUST_TOOLCHAIN }}-
            cargo-${{ env.MUSL_TARGET }}-

      # ── 质量检查（先于构建，失败即止）──────────────────────────────────
      - name: fmt
        run: cargo fmt -- --check

      - name: clippy
        run: cargo clippy --locked -- -D warnings

      - name: test
        run: cargo test --locked

      - name: 构建 secrets-api
        run: |
          cargo build --release --locked -p secrets-api

      - name: 构建 secrets-desktop-daemon
        run: |
          cargo build --release --locked -p secrets-desktop-daemon

      # ── 飞书汇总通知 ─────────────────────────────────────────────────────
      - name: 飞书通知
        if: always()
        env:
          WEBHOOK_URL: ${{ vars.WEBHOOK_URL }}
        run: |
          [ -z "$WEBHOOK_URL" ] && exit 0
          commit="${{ github.event.head_commit.message }}"
          [ -z "$commit" ] && commit="${{ github.sha }}"
          url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_number }}"
          result="${{ job.status }}"
          if [ "$result" = "success" ]; then icon="✅"; else icon="❌"; fi
          msg="secrets v3 CI ${icon}
          提交：${commit}
          作者：${{ github.actor }}
          详情：${url}"
          payload=$(jq -n --arg text "$msg" '{msg_type: "text", content: {text: $text}}')
          curl -sS -H "Content-Type: application/json" -X POST -d "$payload" "$WEBHOOK_URL"