#!/usr/bin/env bash
set -euo pipefail

repo_root="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
chart_dir="${repo_root}/helm"
rendered_manifest="$(mktemp --suffix=.yaml)"
release_name="${RELEASE_NAME:-agentguard-ci}"

cleanup() {
  rm -f "${rendered_manifest}"
}

require_command() {
  if ! command -v "$1" >/dev/null 2>&1; then
    printf 'Missing required command: %s\n' "$1" >&2
    exit 1
  fi
}

run_kubectl_client_check() {
  require_command kubectl
  if ! kubectl apply --dry-run=client --validate=false -f "${rendered_manifest}" >/dev/null 2>&1; then
    cat <<'EOF' >&2
kubectl client dry-run failed.
For Argo CRDs, this check can still be environment-sensitive and is optional here.
Re-run without RUN_KUBECTL_CLIENT_CHECK=1, or use RUN_KUBECTL_SERVER_CHECK=1 against a cluster with the CRDs installed.
EOF
    exit 1
  fi
}

run_kubectl_server_check() {
  require_command kubectl
  kubectl apply --dry-run=server -f "${rendered_manifest}" >/dev/null
}

trap cleanup EXIT

require_command helm
require_command argo

printf '==> helm lint\n'
helm lint "${chart_dir}"

printf '==> helm template\n'
helm template "${release_name}" "${chart_dir}" > "${rendered_manifest}"

printf '==> argo lint --offline\n'
argo lint --offline --kinds=clusterworkflowtemplates "${rendered_manifest}"

if [[ "${RUN_KUBECTL_CLIENT_CHECK:-0}" == "1" ]]; then
  printf '==> kubectl apply --dry-run=client\n'
  run_kubectl_client_check
fi

if [[ "${RUN_KUBECTL_SERVER_CHECK:-0}" == "1" ]]; then
  printf '==> kubectl apply --dry-run=server\n'
  run_kubectl_server_check
fi