version: 2.1

parameters:
  fingerprint:
    type: string
    default: SHA256:OkxsH8Z6Iim6WDJBaII9eTT9aaO1f3eDc6IpsgYYPVg
  min_rust_version:
    type: string
    default: "1.88"
  release_flag:
    type: boolean
    default: false
    description: "If true, the release workflow will be executed."
  success_flag:
    type: boolean
    default: false
    description: "If true, the success pipeline will be executed."
  validation_flag:
    type: boolean
    default: false
    description: "If true, the validation pipeline will be executed."

orbs:
  toolkit: jerus-org/circleci-toolkit@4.4.2

# Custom executors removed - using toolkit rolling executors instead

workflows:
  check_last_commit:
    when:
      and:
        - not:
            equal: [scheduled_pipeline, << pipeline.trigger_source >>]
        - not: << pipeline.parameters.success_flag >>
        - not: << pipeline.parameters.release_flag >>
        - not: << pipeline.parameters.validation_flag >>

    jobs:
      - toolkit/choose_pipeline:
          name: choose pipeline based on committer
          context: bot-check

  validation:
    when:
      and:
        - not:
            equal: [scheduled_pipeline, << pipeline.trigger_source >>]
        - not: << pipeline.parameters.success_flag >>
        - << pipeline.parameters.validation_flag >>
        - not: << pipeline.parameters.release_flag >>
    jobs:
      # Signature verification for trusted PRs (with write access for comments)
      - toolkit/verify_commit_signatures:
          name: verify_commit_signatures_trusted
          context: bot-check
          post_comment: true
          update_pcu: false
          filters:
            branches:
              ignore:
                - main
                - /pull\/[0-9]+/
      # Signature verification for forked PRs (read-only, no comments)
      - toolkit/verify_commit_signatures:
          name: verify_commit_signatures_forked
          post_comment: false
          update_pcu: false
          filters:
            branches:
              only: /pull\/[0-9]+/
      - toolkit/label:
          min_rust_version: << pipeline.parameters.min_rust_version >>
          context: pcu-app
          update_pcu: true
          filters:
            branches:
              only:
                - main
      - toolkit/required_builds:
          min_rust_version: << pipeline.parameters.min_rust_version >>
      - toolkit/optional_builds:
          min_rust_version: << pipeline.parameters.min_rust_version >>
      - toolkit/test_doc_build:
          min_rust_version: << pipeline.parameters.min_rust_version >>
      - toolkit/common_tests:
          min_rust_version: << pipeline.parameters.min_rust_version >>
          test_runner: nextest
          nextest_profile: ci
          post-steps:
            - store_test_results:
                path: target/nextest/ci/junit.xml
      - toolkit/idiomatic_rust:
          min_rust_version: << pipeline.parameters.min_rust_version >>
      - toolkit/security:
          name: security audit only
          sonarcloud: false
          ignore_advisories: RUSTSEC-2025-0066
          filters:
            branches:
              only: /pull\/[0-9]+/
      - toolkit/security:
          name: security with sonarcloud
          context: SonarCloud
          ignore_advisories: RUSTSEC-2025-0066
          filters:
            branches:
              ignore:
                - /pull\/[0-9]+/
                - main
      - toolkit/update_prlog:
          filters:
            branches:
              ignore:
                - /pull\/[0-9]+/
                - main
          requires:
            - verify_commit_signatures_trusted
            - toolkit/required_builds
            - toolkit/test_doc_build
            - toolkit/idiomatic_rust
            - security audit only
            - security with sonarcloud
            - toolkit/common_tests
          context:
            - release
            - bot-check
          ssh_fingerprint: << pipeline.parameters.fingerprint >>
          min_rust_version: << pipeline.parameters.min_rust_version >>

  on_success:
    when:
      and:
        - not:
            equal: [scheduled_pipeline, << pipeline.trigger_source >>]
        - << pipeline.parameters.success_flag >>
        - not: << pipeline.parameters.validation_flag >>
        - not: << pipeline.parameters.release_flag >>

    jobs:
      - toolkit/end_success

  release:
    when:
      and:
        - or:
            - and:
                - equal: [scheduled_pipeline, << pipeline.trigger_source >>]
                - equal: ["release check", << pipeline.schedule.name >>]
            - << pipeline.parameters.release_flag >>
        - not: << pipeline.parameters.success_flag >>
        - not: << pipeline.parameters.validation_flag >>
    jobs:
      - toolkit/save_next_version:
          min_rust_version: << pipeline.parameters.min_rust_version >>

      - toolkit/make_release:
          requires:
            - toolkit/save_next_version
          pre-steps:
            - attach_workspace:
                at: /tmp/workspace
            - run:
                name: Set SEMVER based on next-version file
                command: |
                  set +ex
                  export SEMVER=$(cat /tmp/workspace/next-version)
                  echo $SEMVER
                  echo "export SEMVER=$SEMVER" >> "$BASH_ENV"
          context:
            - release
            - bot-check
          ssh_fingerprint: << pipeline.parameters.fingerprint >>
          min_rust_version: << pipeline.parameters.min_rust_version >>
          when_get_version: false

      - toolkit/no_release:
          min_rust_version: << pipeline.parameters.min_rust_version >>
          requires:
            - toolkit/save_next_version:
                - failed