ci.yml

# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Nightly at midnight UTC (for coverage)
    - cron: "0 0 * * *"

# Cancel in-progress runs when new commits are pushed
# We only care about the latest commit on any branch/PR
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Default to read-only permissions
permissions:
  contents: read
  pull-requests: read

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1

jobs:
  # Validate conventional commit messages
  commits:
    name: Commit Messages
    runs-on: ubuntu-latest
    # Only run on pull requests - push to main is already validated
    if: github.event_name == 'pull_request'
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Validate PR title
        uses: step-security/action-semantic-pull-request@bc0cf74f5be4ce34accdec1ae908dff38dc5def1 # v6.1.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          types: |
            feat
            fix
            docs
            style
            refactor
            perf
            test
            build
            ci
            chore
            revert
            dx
            ai
            imp
          requireScope: false
          subjectPattern: ^[a-z].*$
          subjectPatternError: |
            The subject "{subject}" must start with a lowercase letter.
            Example: "feat: add user authentication" or "fix(api): handle empty requests"

  # Detect if this is a workflow-only change (for skipping builds on Dependabot workflow PRs)
  changes:
    name: Detect Changes
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    outputs:
      code: ${{ steps.filter.outputs.code }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Check for code changes
        id: filter
        uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5
        with:
          filters: |
            code:
              - '**/*.rs'
              - '**/Cargo.toml'
              - '**/Cargo.lock'
              - 'api/**'
              - 'config*.yaml'
              - 'rust-toolchain.toml'

  # Check code formatting
  fmt:
    name: Formatting
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    permissions:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install Rust nightly toolchain
        uses: dtolnay/rust-toolchain@0b1efabc08b657293548b77fb76cc02d26091c7e # master
        with:
          toolchain: nightly
          components: rustfmt

      - name: Check formatting
        run: cargo +nightly fmt --all -- --check

  # Run Clippy for linting
  clippy:
    name: Linting
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
    permissions:
      contents: read
    env:
      CARGO_INCREMENTAL: 0
      RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable
          components: clippy

      - name: Install mold linker
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq mold

      - name: Install development tools via Mise
        uses: step-security/mise-action@2fa1b2b4fa1577588d8ac75f4dfa0f67c266d2a0 # v3.4.1
        with:
          install_args: protobuf
          cache: true

      - name: Cache Rust dependencies
        uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
        with:
          shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
          save-if: false

      - name: Run clippy
        run: cargo clippy --workspace --all-targets --all-features -- -D warnings

  # Run tests on multiple platforms
  test:
    name: Test (${{ matrix.name }})
    needs: [fmt, clippy]
    runs-on: ${{ matrix.runner }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - runner: ubuntu-latest
            name: Linux AMD64
          - runner: ubuntu-24.04-arm
            name: Linux ARM64
          - runner: macos-latest
            name: macOS Apple Silicon
    permissions:
      contents: read
      checks: write # For test result publishing
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Free disk space (Linux)
        if: runner.os == 'Linux'
        run: |
          sudo rm -rf /usr/share/dotnet
          sudo rm -rf /usr/local/lib/android
          sudo rm -rf /opt/ghc
          sudo rm -rf /opt/hostedtoolcache/CodeQL
          df -h

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install mold linker (Linux)
        if: runner.os == 'Linux'
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq mold

      - name: Install protobuf compiler (Linux)
        if: runner.os == 'Linux'
        run: |
          sudo apt-get install -y -qq protobuf-compiler

      - name: Install protobuf compiler (macOS)
        if: runner.os == 'macOS'
        run: |
          brew install protobuf

      - name: Install cargo-nextest
        uses: taiki-e/install-action@650c5ca14212efbbf3e580844b04bdccf68dac31 # v2.67.18
        with:
          tool: cargo-nextest

      - name: Cache Rust dependencies
        uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
        with:
          shared-key: test-${{ matrix.runner }}
          save-if: ${{ github.ref == 'refs/heads/main' }}

      - name: Restore proptest regressions cache
        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
        with:
          path: |
            **/proptest-regressions
            **/*.proptest-regressions
          key: proptest-regressions-${{ matrix.runner }}-${{ github.sha }}
          restore-keys: |
            proptest-regressions-${{ matrix.runner }}-

      - name: Run tests (PR - fast profile)
        if: github.event_name == 'pull_request'
        env:
          RUSTFLAGS: ${{ runner.os == 'Linux' && '-C codegen-units=16 -C link-arg=-fuse-ld=mold' || '' }}
          CARGO_INCREMENTAL: "0"
          PROPTEST_CASES: "10"
        run: cargo nextest run --workspace --profile fast

      - name: Run tests (main - ci profile)
        if: github.event_name != 'pull_request'
        env:
          RUSTFLAGS: ${{ runner.os == 'Linux' && '-C codegen-units=16 -C link-arg=-fuse-ld=mold' || '' }}
          CARGO_INCREMENTAL: "0"
          PROPTEST_CASES: "25"
        run: cargo nextest run --workspace --profile ci --no-fail-fast

      - name: Save proptest regressions on failure
        if: failure()
        uses: actions/cache/save@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
        with:
          path: |
            **/proptest-regressions
            **/*.proptest-regressions
          key: proptest-regressions-${{ matrix.runner }}-${{ github.sha }}

      - name: Run doc tests
        env:
          RUSTFLAGS: ""
        run: cargo test --workspace --doc

      - name: Analyze test performance (Linux AMD64 only)
        if: always() && matrix.runner == 'ubuntu-latest'
        run: |
          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
            JUNIT_FILE="target/nextest/fast/junit-fast.xml"
          else
            JUNIT_FILE="target/nextest/ci/junit.xml"
          fi

          if [[ -f "$JUNIT_FILE" ]]; then
            # Note: --no-fail-on-regression because CI runners have highly variable
            # performance (50-200% variance is normal). Baselines were captured on
            # dev machines. Performance regressions are informational only in CI.
            python3 scripts/analyze-test-times.py \
              --junit "$JUNIT_FILE" \
              --no-fail-on-slow \
              --no-fail-on-regression \
              --regression-threshold 50
          else
            echo "JUnit file not found: $JUNIT_FILE"
          fi

      - name: Publish test results (Linux AMD64 only)
        uses: step-security/publish-unit-test-result-action@914f0f642c242f38335a491805adfc9bd64b1cbb # v2.21.1
        if: always() && matrix.runner == 'ubuntu-latest'
        with:
          files: target/nextest/ci/junit.xml
          check_name: Test Results
          comment_mode: off

      - name: Upload test results
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: test-results-${{ matrix.runner }}
          path: |
            target/nextest/ci/junit.xml
            target/nextest/fast/junit-fast.xml
          retention-days: 7

  # Update test performance baselines from CI
  # Only runs on nightly schedule to capture CI-representative timings
  update-test-baselines:
    name: Update Test Baselines
    needs: [test]
    runs-on: ubuntu-latest
    # Only run on scheduled (nightly) builds, not PRs or pushes
    if: github.event_name == 'schedule'
    permissions:
      contents: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Download test results
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: test-results-ubuntu-latest
          path: target/nextest/ci/

      - name: Update baselines
        run: |
          if [[ -f "target/nextest/ci/junit.xml" ]]; then
            python3 scripts/analyze-test-times.py \
              --junit "target/nextest/ci/junit.xml" \
              --update-baseline
            echo "Baselines updated from CI test run"
          else
            echo "No JUnit file found, skipping baseline update"
            exit 0
          fi

      - name: Commit updated baselines
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

          if git diff --quiet .config/test-baselines.json; then
            echo "No changes to baselines"
          else
            git add .config/test-baselines.json
            git commit -m "chore: update test performance baselines from CI

            Automatically generated from nightly CI run.
            These baselines reflect actual CI runner performance."
            git push
          fi

  # Ledger Integration Tests
  # Runs Engine tests against a real Ledger server to verify storage backend integration.
  # Uses Docker Compose to start a single-node Ledger cluster, then runs native cargo tests.
  ledger-integration-tests:
    name: Ledger Integration Tests
    needs: [fmt, clippy]
    runs-on: ubuntu-latest
    permissions:
      contents: read
    timeout-minutes: 10
    env:
      CARGO_INCREMENTAL: 0
      RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install mold linker
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq mold

      - name: Install development tools via Mise
        uses: step-security/mise-action@2fa1b2b4fa1577588d8ac75f4dfa0f67c266d2a0 # v3.4.1
        with:
          install_args: protobuf cargo:cargo-nextest
          cache: true

      - name: Cache Rust dependencies
        uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
        with:
          shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
          save-if: false

      - name: Start Ledger server
        working-directory: docker/ledger-integration-tests
        run: |
          docker compose up -d ledger
          echo "Waiting for Ledger to be ready..."
          # Wait for metrics endpoint to be available (indicates server is running)
          # Then add delay for Raft bootstrap to complete
          for i in {1..30}; do
            if curl -sf http://localhost:9091/metrics > /dev/null 2>&1; then
              echo "Ledger metrics endpoint is available"
              # Give Raft a moment to fully bootstrap after server starts
              sleep 3
              echo "Ledger should be ready!"
              break
            fi
            echo "Attempt $i/30: Ledger not ready yet..."
            sleep 2
          done
          # Final check - metrics endpoint must be available
          curl -sf http://localhost:9091/metrics > /dev/null || (docker compose logs ledger && exit 1)

      - name: Run Ledger integration tests
        env:
          RUN_LEDGER_INTEGRATION_TESTS: "1"
          LEDGER_ENDPOINT: "http://localhost:50051"
          LEDGER_NAMESPACE_ID: "1"
          RUST_BACKTRACE: "1"
        run: |
          cargo nextest run \
            --package inferadb-engine-api \
            --package inferadb-engine-auth \
            --test ledger_integration \
            --test signing_key_cache_ledger_integration \
            --features test-utils \
            --profile ci \
            --no-fail-fast

      - name: Stop Ledger server
        if: always()
        working-directory: docker/ledger-integration-tests
        run: docker compose down -v

  # IPL Parser Security Tests
  # Only runs on PRs that modify inferadb-engine-core
  ipl-parser-security-tests:
    name: IPL Parser Security Tests
    needs: [fmt, clippy]
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
    permissions:
      contents: read
      pull-requests: read
    env:
      CARGO_INCREMENTAL: 0
      RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Check if inferadb-engine-core was modified
        id: check-core
        uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5
        with:
          filters: |
            core:
              - 'crates/inferadb-engine-core/**'

      - name: Skip if inferadb-engine-core not modified
        if: steps.check-core.outputs.core != 'true'
        run: |
          echo "inferadb-engine-core not modified, skipping tests"
          exit 0

      # Only run these steps if inferadb-engine-core was modified
      - name: Checkout code
        if: steps.check-core.outputs.core == 'true'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true

      - name: Install Rust toolchain
        if: steps.check-core.outputs.core == 'true'
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install mold linker
        if: steps.check-core.outputs.core == 'true'
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq mold

      - name: Install development tools via Mise
        if: steps.check-core.outputs.core == 'true'
        uses: step-security/mise-action@2fa1b2b4fa1577588d8ac75f4dfa0f67c266d2a0 # v3.4.1
        with:
          install_args: protobuf cargo:cargo-nextest
          cache: true

      - name: Restore build cache
        if: steps.check-core.outputs.core == 'true'
        uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
        with:
          shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
          save-if: false

      - name: Run IPL parser fuzz tests
        if: steps.check-core.outputs.core == 'true'
        run: cargo nextest run --package inferadb-engine-core --test ipl_parser_fuzz
        continue-on-error: true

  # WASM Security Tests
  # Only runs on PRs that modify inferadb-engine-wasm
  wasm-security-tests:
    name: WASM Security Tests
    needs: [fmt, clippy]
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
    permissions:
      contents: read
      pull-requests: read
    env:
      CARGO_INCREMENTAL: 0
      RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Check if inferadb-engine-wasm was modified
        id: check-wasm
        uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5
        with:
          filters: |
            wasm:
              - 'crates/inferadb-engine-wasm/**'

      - name: Skip if inferadb-engine-wasm not modified
        if: steps.check-wasm.outputs.wasm != 'true'
        run: |
          echo "inferadb-engine-wasm not modified, skipping tests"
          exit 0

      # Only run these steps if inferadb-engine-wasm was modified
      - name: Checkout code
        if: steps.check-wasm.outputs.wasm == 'true'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true

      - name: Install Rust toolchain
        if: steps.check-wasm.outputs.wasm == 'true'
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install mold linker
        if: steps.check-wasm.outputs.wasm == 'true'
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq mold

      - name: Install development tools via Mise
        if: steps.check-wasm.outputs.wasm == 'true'
        uses: step-security/mise-action@2fa1b2b4fa1577588d8ac75f4dfa0f67c266d2a0 # v3.4.1
        with:
          install_args: protobuf cargo:cargo-nextest
          cache: true

      - name: Restore build cache
        if: steps.check-wasm.outputs.wasm == 'true'
        uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
        with:
          shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
          save-if: false

      - name: Run WASM sandbox security tests
        if: steps.check-wasm.outputs.wasm == 'true'
        run: cargo nextest run --package inferadb-engine-wasm --test sandbox_security
        continue-on-error: true

  # Test code coverage (builds from scratch with instrumentation)
  # Note: Cannot reuse build artifacts - coverage requires specially instrumented binaries
  coverage:
    name: Code Coverage
    needs: changes
    runs-on: ubuntu-latest
    # Only run nightly to reduce CI costs - coverage is informational and expensive
    if: github.event_name == 'schedule'
    continue-on-error: true
    permissions:
      contents: read
    env:
      CARGO_INCREMENTAL: 0
      RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Free disk space
        run: |
          sudo rm -rf /usr/share/dotnet
          sudo rm -rf /usr/local/lib/android
          sudo rm -rf /opt/ghc
          sudo rm -rf /opt/hostedtoolcache/CodeQL
          df -h

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install mold linker
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq mold

      - name: Install development tools via Mise
        uses: step-security/mise-action@2fa1b2b4fa1577588d8ac75f4dfa0f67c266d2a0 # v3.4.1
        with:
          install_args: protobuf cargo:cargo-llvm-cov
          cache: true

      - name: Restore registry cache
        uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
        with:
          shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
          # Only restore registry cache - llvm-cov uses its own target directory
          # so compiled artifacts from the build job won't be reused
          save-if: false

      - name: Generate coverage
        env:
          # Comprehensive proptest cases for nightly coverage runs
          PROPTEST_CASES: "500"
        run: cargo llvm-cov --workspace --lcov --output-path lcov.info

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
        with:
          files: lcov.info
          fail_ci_if_error: false
          token: ${{ secrets.CODECOV_TOKEN }}

  # Full test suite including all ignored tests (load, scale, stress tests)
  # Only runs nightly via schedule - comprehensive validation
  full-tests:
    name: Full Test Suite
    needs: changes
    runs-on: ubuntu-latest
    # Only run nightly to avoid blocking PRs with expensive tests
    if: github.event_name == 'schedule'
    continue-on-error: true
    permissions:
      contents: read
    env:
      CARGO_INCREMENTAL: 0
      RUSTFLAGS: "-C codegen-units=16 -C link-arg=-fuse-ld=mold"
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Free disk space
        run: |
          sudo rm -rf /usr/share/dotnet
          sudo rm -rf /usr/local/lib/android
          sudo rm -rf /opt/ghc
          sudo rm -rf /opt/hostedtoolcache/CodeQL
          df -h

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install mold linker
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq mold

      - name: Install development tools via Mise
        uses: step-security/mise-action@2fa1b2b4fa1577588d8ac75f4dfa0f67c266d2a0 # v3.4.1
        with:
          install_args: protobuf cargo:cargo-nextest
          cache: true

      - name: Cache Rust dependencies
        uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3
        with:
          shared-key: ubuntu-latest-x86_64-unknown-linux-gnu
          save-if: false

      - name: Run full test suite including ignored tests
        env:
          # Maximum proptest cases for comprehensive nightly fuzzing
          PROPTEST_CASES: "500"
        run: cargo nextest run --workspace --profile full --features test-full --run-ignored all

      - name: Upload full test results
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: test-results-full
          path: target/nextest/full/junit-full.xml
          retention-days: 7

  # Check dependencies for outdated versions, duplicates, and unused
  # Only runs on main branch pushes (informational, not blocking)
  dependencies:
    name: Dependencies
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    permissions:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: true

      - name: Install Rust stable toolchain
        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
        with:
          toolchain: stable

      - name: Install Rust nightly toolchain (for cargo-udeps)
        uses: dtolnay/rust-toolchain@0b1efabc08b657293548b77fb76cc02d26091c7e # master
        with:
          toolchain: nightly

      - name: Install protobuf compiler
        run: |
          sudo apt-get update -qq
          sudo apt-get install -y -qq protobuf-compiler

      - name: Install cargo-outdated
        uses: taiki-e/install-action@650c5ca14212efbbf3e580844b04bdccf68dac31 # v2.67.18
        with:
          tool: cargo-outdated

      - name: Install cargo-udeps
        uses: taiki-e/install-action@650c5ca14212efbbf3e580844b04bdccf68dac31 # v2.67.18
        with:
          tool: cargo-udeps

      - name: Cache Rust dependencies
        uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3

      - name: Check outdated dependencies
        run: cargo outdated --exit-code 1 || echo "::warning::Some dependencies are outdated"

      - name: Check for duplicate dependencies
        run: cargo tree --duplicates

      - name: Check for unused dependencies
        run: cargo +nightly udeps --workspace || echo "::warning::Some dependencies may be unused"

  # Overall status check
  ci-success:
    name: CI Success
    needs:
      [
        commits,
        changes,
        fmt,
        clippy,
        test,
        ledger-integration-tests,
        ipl-parser-security-tests,
        wasm-security-tests,
        coverage,
        full-tests,
        dependencies,
      ]
    runs-on: ubuntu-latest
    permissions:
      contents: read
    if: always()
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
        with:
          egress-policy: audit

      - name: Check all jobs
        run: |
          # Commits check is only required on PRs
          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
            if [[ "${{ needs.commits.result }}" != "success" ]]; then
              echo "Commit message validation failed"
              echo "PR title must follow Conventional Commits format:"
              echo "  <type>(<scope>): <description>"
              echo "  Examples: 'feat: add new feature' or 'fix(api): handle edge case'"
              exit 1
            fi
          fi
          # Format and Clippy can be skipped for Dependabot PRs
          if [[ "${{ needs.fmt.result }}" != "success" && "${{ needs.fmt.result }}" != "skipped" ]]; then
            echo "Format check failed"
            exit 1
          fi
          if [[ "${{ needs.clippy.result }}" != "success" && "${{ needs.clippy.result }}" != "skipped" ]]; then
            echo "Clippy check failed"
            exit 1
          fi
          # Tests are required unless skipped for Dependabot workflow-only PRs
          if [[ "${{ needs.test.result }}" != "success" && "${{ needs.test.result }}" != "skipped" ]]; then
            echo "Tests failed"
            exit 1
          fi
          # Ledger integration tests verify storage backend
          if [[ "${{ needs.ledger-integration-tests.result }}" != "success" && "${{ needs.ledger-integration-tests.result }}" != "skipped" ]]; then
            echo "Ledger integration tests failed"
            exit 1
          fi
          # Coverage only runs on schedule (nightly)
          if [[ "${{ needs.coverage.result }}" != "success" && "${{ needs.coverage.result }}" != "skipped" ]]; then
            echo "Coverage check failed"
            exit 1
          fi
          # Full test suite only runs on schedule (nightly) - informational
          if [[ "${{ needs.full-tests.result }}" != "success" && "${{ needs.full-tests.result }}" != "skipped" ]]; then
            echo "Full test suite failed (informational)"
            # Don't exit - full tests are informational
          fi
          if [[ "${{ needs.dependencies.result }}" != "success" && "${{ needs.dependencies.result }}" != "skipped" ]]; then
            echo "Dependencies check failed"
            exit 1
          fi
          # Security tests are conditional (only on PRs when crates modified, skipped for Dependabot)
          # They can be skipped or successful, but not failed
          echo "Security test results:"
          echo "  IPL Parser: ${{ needs.ipl-parser-security-tests.result }}"
          echo "  WASM: ${{ needs.wasm-security-tests.result }}"

          if [[ "${{ needs.ipl-parser-security-tests.result }}" == "failure" ]]; then
            echo "IPL Parser security tests failed"
            exit 1
          fi
          if [[ "${{ needs.wasm-security-tests.result }}" == "failure" ]]; then
            echo "WASM security tests failed"
            exit 1
          fi

          echo "All required checks passed!"