name: Test

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  tests:
    strategy:
      matrix:
        arch: ['ubuntu-latest', 'darwin-amd64']
    runs-on: ${{ matrix.arch }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      
      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'

      - name: Setup Hashicorp Vault
        if: matrix.arch == 'ubuntu-latest'
        run: |
          wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
          apt-get update && apt-get -y install vault

      - name: Start Vault in background
        env:
          VAULT_SKIP_VERIFY: "true"
        run: |
          # Start Vault server in background
          echo "🔐 Starting Hashicorp Vault development server"
          vault server -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-tls > vault.log 2>&1 &
          VAULT_PID=$!
          echo $VAULT_PID > vault.pid

          sleep 3
          export VAULT_SKIP_VERIFY=true
          if ! vault status; then
            echo "❌ Vault failed to start. Logs ($(wc -l vault.log) lines):"
            cat vault.log
            exit 1
          fi

          echo "✅ Vault started successfully with PID: $VAULT_PID"

      - name: Setup Vault test data
        env:
          TEST_VAULT_KEY: ${{ vars.TEST_VAULT_KEY }}
          TEST_VAULT_VALUE: ${{ vars.TEST_VAULT_VALUE }}
          VAULT_TOKEN: root
          VAULT_SKIP_VERIFY: "true"
        run: |
          # Populate our test secrets
          echo "🔐 Populating test secrets:"
          vault kv put "${TEST_VAULT_KEY}" data="${TEST_VAULT_VALUE}"

          # Populate our test transit backend with key
          echo "🔐 Populating test transit backend:"
          vault secrets enable transit
          vault write -f transit/keys/test

      - name: Vet
        run: go vet -v ./...

      - name: Test
        env:
          TEST_VAULT_KEY: ${{ vars.TEST_VAULT_KEY }}
          TEST_VAULT_VALUE: ${{ vars.TEST_VAULT_VALUE }}
          VAULT_TOKEN: root
          VAULT_SKIP_VERIFY: "true"
        run: |
          go test -v ./...

      - name: Stop Vault (always run)
        if: always()
        run: |
          if [ -f vault.pid ]; then
            kill $(cat vault.pid) 2>/dev/null || true
            rm -f vault.pid
          fi