#!/usr/bin/env bash
# pre-push hook: runs quality checks before every `git push`.
# Install with: make setup  (sets core.hooksPath = .githooks)
set -euo pipefail

echo "pre-push: running checks..."

# ── 1. gofmt ──────────────────────────────────────────────────────────────────
echo "  → gofmt"
UNFORMATTED=$(gofmt -l $(git ls-files '*.go'))
if [ -n "$UNFORMATTED" ]; then
  echo "  FAIL: the following files are not gofmt-formatted:"
  echo "$UNFORMATTED" | sed 's/^/    /'
  echo "  Fix with: make lint-fix"
  exit 1
fi

# ── 2. go vet ─────────────────────────────────────────────────────────────────
echo "  → go vet"
go vet ./...

# ── 3. golangci-lint ──────────────────────────────────────────────────────────
echo "  → golangci-lint"
golangci-lint run ./...

# ── 4. gosec (security scan) ──────────────────────────────────────────────────
echo "  → gosec"
gosec -quiet ./...

# govulncheck is intentionally omitted (network + slow).
# Run it manually with: make security

echo "pre-push: all checks passed."