name: PR

on:
  pull_request:
    branches:
      - master

concurrency:
  group: pr-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  policy:
    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Block manual lockfile edits
        if: github.head_ref != 'chore/refresh-lockfile'
        run: |
          changed="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}")"
          if printf '%s\n' "$changed" | grep -qx 'pnpm-lock.yaml'; then
            echo "Do not commit pnpm-lock.yaml in pull requests. CI owns lockfile updates."
            exit 1
          fi

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9.15.4
          run_install: false

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 24

      - name: Validate dependency resolution when manifests change
        run: |
          changed="$(git diff --name-only "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}")"
          manifest_pattern='(^|/)package\.json$|^pnpm-workspace\.yaml$|^\.npmrc$|^pnpmfile\.(cjs|js|mjs)$'
          if printf '%s\n' "$changed" | grep -Eq "$manifest_pattern"; then
            pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile
          fi

  verify:
    needs: [policy]
    runs-on: ubuntu-latest
    timeout-minutes: 20

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9.15.4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 24
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Typecheck
        run: pnpm -r typecheck

      - name: Run tests
        run: pnpm test:run

      - name: Build
        run: pnpm build

      - name: Release canary dry run
        run: |
          git checkout -B master HEAD
          git checkout -- pnpm-lock.yaml
          ./scripts/release.sh canary --skip-verify --dry-run

  e2e:
    needs: [policy]
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9.15.4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 24
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Build
        run: pnpm build

      - name: Install Playwright
        run: npx playwright install --with-deps chromium

      - name: Generate Paperclip config
        run: |
          mkdir -p ~/.paperclip/instances/default
          cat > ~/.paperclip/instances/default/config.json << 'CONF'
          {
            "$meta": { "version": 1, "updatedAt": "2026-01-01T00:00:00.000Z", "source": "onboard" },
            "database": { "mode": "embedded-postgres" },
            "logging": { "mode": "file" },
            "server": { "deploymentMode": "local_trusted", "host": "127.0.0.1", "port": 3100 },
            "auth": { "baseUrlMode": "auto" },
            "storage": { "provider": "local_disk" },
            "secrets": { "provider": "local_encrypted", "strictMode": false }
          }
          CONF

      - name: Run e2e tests
        env:
          PAPERCLIP_E2E_SKIP_LLM: "true"
        run: pnpm run test:e2e

      - name: Upload Playwright report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: playwright-report
          path: |
            tests/e2e/playwright-report/
            tests/e2e/test-results/
          retention-days: 14