name: CI

on:
  push:
    branches: ["**"]
  pull_request:
    branches: ["master"]

jobs:
  build-and-anchors:
    runs-on: ubuntu-latest
    container:
      # Image avec node + git déjà présents -> pas d'APT
      image: mcr.microsoft.com/devcontainers/javascript-node:20-bookworm
      # On force root pour pouvoir écrire /etc/resolv.conf (sinon user "node")
      options: >-
        --user root
        --add-host gitea.archicratie.trans-hands.synology.me:192.168.1.20

    steps:
      - name: Force DNS inside job container (DS220+ / act_runner)
        run: |
          set -eu
          echo "== resolv.conf (before) =="; cat /etc/resolv.conf || true

          cat > /etc/resolv.conf <<'EOF'
          nameserver 192.168.1.1
          nameserver 109.0.66.10
          options timeout:2 attempts:2
          EOF

          echo "== resolv.conf (after) =="; cat /etc/resolv.conf
          node -e 'require("dns").resolve4("deb.debian.org",(e,a)=>console.log("dns",e||a))'

      - name: Checkout (from Gitea, no external actions)
        env:
          SERVER: ${{ github.server_url }}
          REPO: ${{ github.repository }}
          SHA: ${{ github.sha }}
          TOKEN: ${{ secrets.CI_TOKEN }}
        run: |
          set -euo pipefail
          if [ -n "${TOKEN:-}" ]; then
            AUTH="$(printf "oauth2:%s" "$TOKEN" | base64 | tr -d '\n')"
            git -c http.extraHeader="AUTHORIZATION: basic $AUTH" clone "$SERVER/$REPO.git" .
          else
            echo "ℹ️ CI_TOKEN absent → clone sans auth (repo public ou accès runner déjà OK)."
            git clone "$SERVER/$REPO.git" .
          fi
          git checkout "$SHA"

      - name: Install deps
        run: npm ci

      - name: Inline scripts syntax check
        run: node scripts/check-inline-js.mjs

      - name: Build
        run: npm run build

      - name: Anchors contract
        run: npm run test:anchors