name: CI

on:
  push:
    branches: [main]
  pull_request:

jobs:
  unit-and-meta:
    name: Unit + repo-invariant tests (py${{ matrix.python-version }})
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        python-version: ["3.10", "3.11", "3.12"]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
      - name: Install
        run: |
          python -m pip install --upgrade pip
          pip install -e .
          pip install pytest pyyaml
      - name: Unit tests
        run: pytest tests/unit -q
      - name: Repo invariant tests (exploit/test/changelog coverage)
        run: pytest tests/meta -q

  regression-suite:
    name: Constitutional regression suite (exploit replays)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - name: Install
        run: |
          python -m pip install --upgrade pip
          pip install -e .
          pip install pytest pyyaml
      - name: Replay every recorded exploit against the current kernel
        run: pytest tests/regression -q
      - name: Verify exploit-to-test coverage is airtight
        run: python scripts/verify_exploit_coverage.py