#! Main CI Specification for DataHaven Repository
#!
#! This workflow runs validation checks on pull requests.
#! For main branch releases, see release.yml

name: CI

on:
  workflow_dispatch:
  push:
    branches:
      - perm-*
  pull_request:
    branches: [main]

# Permissions granted to reusable workflows
# Note: Called workflows (workflow_call) are constrained by these permissions
permissions:
  contents: read
  actions: write    # Required for artifact upload/download in build-operator, moonwall-tests
  packages: write   # Required for docker-build-ci to push to ghcr.io

concurrency:
  group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  # Tier 0 - Warm sccache for all Rust jobs
  warm-sccache:
    uses: ./.github/workflows/task-warm-sccache.yml

  # First Tier - Build the binary (depends on warm cache)
  build-operator:
    needs: [warm-sccache]
    uses: ./.github/workflows/task-build-operator.yml

  # First Tier - Other parallel jobs
  ts-build:
    uses: ./.github/workflows/task-ts-build.yml
  ts-lint:
    uses: ./.github/workflows/task-ts-lint.yml
  unit-tests:
    needs: [warm-sccache]
    uses: ./.github/workflows/task-rust-tests.yml
  contract-tests:
    uses: ./.github/workflows/task-foundry-tests.yml
  storage-layout:
    uses: ./.github/workflows/task-storage-layout.yml
  rust-lint:
    needs: [warm-sccache]
    uses: ./.github/workflows/task-rust-lint.yml
    
  # Second Tier - Jobs that depend on operator build
  check-metadata:
    needs: [build-operator]
    uses: ./.github/workflows/task-check-metadata.yml
    with:
      binary-hash: ${{ needs.build-operator.outputs.binary-hash }}

  docker-build-ci:
    needs: [build-operator]
    uses: ./.github/workflows/task-docker-ci.yml
    # Note: GITHUB_TOKEN is automatically available to reusable workflows
    with:
      binary-hash: ${{ needs.build-operator.outputs.binary-hash }}

  moonwall-tests:
    needs: [build-operator]
    uses: ./.github/workflows/task-moonwall-tests.yml
    with:
      binary-hash: ${{ needs.build-operator.outputs.binary-hash }}

  # Third Tier - E2E tests depend on docker build
  e2e-tests:
    needs: [docker-build-ci]
    uses: ./.github/workflows/task-e2e.yml
    # Note: GITHUB_TOKEN is automatically available to reusable workflows
    with:
      image-tag: ${{ needs.docker-build-ci.outputs.image-tag }}
    secrets:
      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}