pulsedeck 0.1.7

name: CI

on:
  push:
    branches:
      - master
      - phase-1-safety-guardrails
  pull_request:

permissions:
  contents: read

jobs:
  rust:
    name: Rust checks (${{ matrix.os }})
    runs-on: ${{ matrix.os }}

    strategy:
      fail-fast: false
      matrix:
        os:
          - ubuntu-latest
          - macos-latest
          - windows-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Install Linux audio build dependencies
        if: runner.os == 'Linux'
        run: |
          sudo apt-get update
          sudo apt-get install -y libasound2-dev pkg-config

      - name: Install Rust stable
        run: |
          rustup toolchain install stable --profile minimal --component rustfmt,clippy
          rustup default stable

      - name: Show tool versions
        run: |
          rustc --version
          cargo --version

      - name: Format check
        run: cargo fmt --check

      - name: Security regression check
        shell: bash
        run: |
          if grep -R "danger_accept_invalid_certs(true)" -n src; then
            echo "Refusing insecure TLS bypass"
            exit 1
          fi

      - name: Clippy
        run: cargo clippy --all-targets --all-features -- -D warnings

      - name: Tests
        run: cargo test --all-targets --all-features

      - name: Release build
        run: cargo build --release

  audit:
    name: RustSec audit
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Install Rust stable
        run: |
          rustup toolchain install stable --profile minimal
          rustup default stable

      - name: Install cargo-audit
        run: cargo install cargo-audit --locked

      - name: Audit dependencies
        run: cargo audit