#!/usr/bin/env bash
# pre-push hook: runs quality checks before every `git push`.
# Install with: make setup  (sets core.hooksPath = .githooks)
set -euo pipefail

REPO_ROOT=$(git rev-parse --show-toplevel)
# shellcheck source=../tools.versions
source "${REPO_ROOT}/tools.versions"

echo "pre-push: running checks..."

# ── 1. gofmt ──────────────────────────────────────────────────────────────────
echo "  → gofmt"
UNFORMATTED=$(gofmt -l $(git ls-files '*.go'))
if [ -n "$UNFORMATTED" ]; then
  echo "  FAIL: the following files are not gofmt-formatted:"
  echo "$UNFORMATTED" | sed 's/^/    /'
  echo "  Fix with: make lint-fix"
  exit 1
fi

# ── 2. go vet ─────────────────────────────────────────────────────────────────
echo "  → go vet"
go vet ./...

# ── 3. golangci-lint ──────────────────────────────────────────────────────────
echo "  → golangci-lint"
go run github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION} run ./...

# ── 4. gosec (security scan) ──────────────────────────────────────────────────
echo "  → gosec"
go run github.com/securego/gosec/v2/cmd/gosec@${GOSEC_VERSION} -quiet ./...

# govulncheck is intentionally omitted (network + slow).
# Run it manually with: make security

echo "pre-push: all checks passed."
