name: Sanitize
on:
  pull_request:
    branches: ["main"]
  merge_group:
  workflow_dispatch:
env:
  DUMP_SIMULATION_SEEDS: /tmp/simulation-seeds

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

defaults:
  run:
    shell: bash

jobs:
  sanitize:
    name: Sanitize
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-24.04, macos-15] # No Windows support for sanitizers.
        sanitizer: [address, thread, leak] # TODO: memory
        exclude:
          # Memory and leak sanitizers are not supported on macOS.
          - os: macos-15
            sanitizer: leak
          # - os: macos-15
          #   sanitizer: memory
    runs-on: ${{ matrix.os }}

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - uses: ./.github/actions/rust
        with:
          version: nightly
          components: rust-src
          tools: cargo-hack
          token: ${{ secrets.GITHUB_TOKEN }}

      - id: nss-version
        run: echo "minimum=$(cat min_version.txt)" >> "$GITHUB_OUTPUT"

      - uses: ./.github/actions/nss
        with:
          minimum-version: ${{ steps.nss-version.outputs.minimum }}

      - name: Run tests with sanitizers
        env:
          RUST_LOG: trace
          RUSTDOCFLAGS: "-Z sanitizer=${{ matrix.sanitizer }} -Cunsafe-allow-abi-mismatch=sanitizer"
          ASAN_OPTIONS: detect_leaks=1:detect_stack_use_after_return=1
          RUST_BACKTRACE: 1
          OS: ${{ matrix.os }}
          SANITIZER: ${{ matrix.sanitizer }}
        run: |
          # Append to RUSTFLAGS, which may already be set by the Rust action.
          export RUSTFLAGS="-Z sanitizer=$SANITIZER $RUSTFLAGS"
          if [ "$OS" = "ubuntu-24.04" ]; then
            sudo apt-get install -y --no-install-recommends llvm
            TARGET="x86_64-unknown-linux-gnu"
          elif [ "$OS" = "macos-15" ]; then
            # llvm-symbolizer (as part of llvm) is installed by default on macOS runners
            TARGET="aarch64-apple-darwin"
            # Suppress non-neqo leaks on macOS. TODO: Check occasionally if these are still needed.
            {
              echo "leak:dyld4::RuntimeState"
              echo "leak:fetchInitializingClassList"
              echo "leak:lang_start_internal"
            } > suppressions.txt
            PWD=$(pwd)
            export LSAN_OPTIONS="suppressions=$PWD/suppressions.txt"
          fi
          cargo test --locked -Z build-std --target "$TARGET"
          cargo hack --workspace test --locked -Z build-std --target "$TARGET"

      - name: Save simulation seeds artifact
        if: ${{ env.DUMP_SIMULATION_SEEDS }}
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: simulation-seeds-${{ matrix.os }}-sanitizer-${{ matrix.sanitizer }}
          path: ${{ env.DUMP_SIMULATION_SEEDS }}
          compression-level: 9