name: CI

on:
  push:
    branches: ["**"]
  pull_request:
    branches: ["master"]

jobs:
  build-and-anchors:
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm-slim
      options: >-
        --dns=192.168.1.1
        --dns=109.0.66.10
        --dns-option=timeout:2
        --dns-option=attempts:2
        --dns-option=use-vc

    steps:
      - name: Install base tools (git + certs)
        run: |
          set -e
          apt-get update
          apt-get install -y --no-install-recommends git ca-certificates
          rm -rf /var/lib/apt/lists/*
          git --version

      - name: Checkout (from Gitea, no external actions)
        env:
          SERVER: ${{ github.server_url }}
          REPO: ${{ github.repository }}
          SHA: ${{ github.sha }}
          TOKEN: ${{ secrets.CI_TOKEN }}
        run: |
          set -euo pipefail

          if [ -n "${TOKEN:-}" ]; then
            AUTH="$(printf "oauth2:%s" "$TOKEN" | base64 | tr -d '\n')"
            git -c http.extraHeader="AUTHORIZATION: basic $AUTH" clone "$SERVER/$REPO.git" .
          else
            echo "ℹ️ CI_TOKEN absent → clone sans auth (repo public ou accès runner déjà OK)."
            git clone "$SERVER/$REPO.git" .
          fi

          git checkout "$SHA"

      - name: Install deps
        run: npm ci

      - name: Inline scripts syntax check
        run: node scripts/check-inline-js.mjs

      - name: Build
        run: npm run build

      - name: Anchors contract
        run: npm run test:anchors