# CI/CD Automated Quick Start and Test Suite

# a collection of unit tests (with many side effects) that assert various
# components of the graphical shell and ensure that initial bootstrap and
# post-install scripts work as intended under the current stable distribution
# of Debian GNU/Linux

name: CI
on:
  push:
  pull_request:
  schedule:
    - cron: "*/39 * * * *"

jobs:
  Install:
     runs-on: ubuntu-latest
     container: debian:bookworm
     steps:
       - name: Install prerequisite software
         run: apt-get update && apt-get install -y git wget sudo
       - name: Checkout dotfiles and bootstrap system
         run: |
           git clone --bare \
             "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" ~/.config/meta
           git --git-dir=$HOME/.config/meta --work-tree=$HOME \
             reset $GITHUB_SHA --hard
       - name: Run post-install system config scripts in order
         shell: bash -le {0}
         env:
           TERM: rxvt
         run: yes n | bash -lc post-install
       - name: Update website and run cron job tasks with kagami
         shell: bash -le {0}
         env:
           GH_PAT: ${{ secrets.GH_PAT }}
           SITE_REPO: microsounds/microsounds.github.io
         # if: ${{ github.event_name == 'push' }}
         run: |
           git clone "$GITHUB_SERVER_URL/$SITE_REPO" ~/site
           cd ~/site
           kagami
           git remote set-url \
             origin "https://$GH_PAT@${GITHUB_SERVER_URL##*/}/$SITE_REPO"

           # assign bot commits to the gh-actions account
           git config user.name 'github-actions[bot]'
           git config user.email '41898282+github-actions[bot]@users.noreply.github.com'

           # pull in changes since cloning
           # if last commit was a [CI] commit, amend last commit and push -f
           git pull --rebase --autostash
           case "$(git log -1 --pretty="%B")" in
             "[CI]"*)
               git reset --soft HEAD~1
               git checkin
               git push -f;;
             *) git shove
           esac
       - name: Test nano-overlay ssh-sign file encryption
         shell: bash -le {0}
         env:
           TERM: rxvt
           EXTERN_EDITOR: cat
         run: |
           for f in $(seq 10); do
             for g in rsa ed25519; do
               case $g in
                 rsa) bits=$(seq 1024 $((1024 * 6)) | shuf | head -n 1);;
                 ed25519) bits=256;;
               esac
               secret="$f taro bubble teas! >‿<"
               echo "$secret" > ok
               echo "$g-$bits" | figlet -f big
               yes y | ssh-keygen -q -f "$g-$bits" -t $g -b $bits -N '' -m pem
               echo 'ENCRYPTING'
               yes y | nano-overlay -i "$g-$bits" -s ok || exit 1
               { gzip -d | tar -xO enc | file -; } < ok | fgrep 'openssl' || exit 1
               echo 'READBACK'
               nano-overlay -i "$g-$bits" -s ok | fgrep "$secret" || exit 1
               if [ -f prev_key ]; then
                 echo 'TESTING PREVIOUS ITERATION KEY'
                 nano-overlay -i prev_key -s ok && \
                 { echo '!!!! SECURITY FAILURE !!!!' | figlet -f banner; exit 1; }
               fi
               mv -v "$g-$bits" prev_key
               mv -v "$g-$bits.pub" prev_key.pub
               rm -rf "$g-$bits"*
             done
           done
           rm -rf ~/site
       - name: Assert and test various components of the graphical shell
         shell: bash -le {0}
         env:
           TERM: rxvt
         run: |
           GIT_WORK_TREE="$HOME" GIT_DIR="$HOME/.config/meta" path-gitstatus -p
           fgrep 'stdc.syntax' < ~/.local/share/nano/c.nanorc
           bash -lc colors
           cpp -P <<- EOF
               #include <colors/nightdrive.h>
           EOF
           twopass ffmpeg -loglevel quiet -s 1920x1080 -t 0.2 -f rawvideo \
             -i /dev/urandom -c:v libvpx -b:v 100M -an noise.webm
           mpv --vo=null noise.webm
           nano-overlay --version
           pfetch