name: Fix-Marker Regression Guard

# Asserts that previously-shipped fixes are still present in the tree.
# Manifest: scripts/fix-markers.json   Checker: scripts/check_fix_markers.py
# Run locally:  python scripts/check_fix_markers.py   (also --list / --json)
#
# This complements the heavyweight checks (firmware build, deterministic
# pipeline proof, witness bundle) with a fast per-PR "did someone revert a
# known fix?" gate — the CI analogue of the ruflo witness fix-marker system.

on:
  push:
    branches:
      - main
      - master
  pull_request:
  workflow_dispatch:

jobs:
  fix-markers:
    name: Verify fix markers
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v6
        with:
          python-version: '3.11'

      - name: Validate the manifest is well-formed JSON
        run: python -c "import json; json.load(open('scripts/fix-markers.json')); print('manifest OK')"

      - name: Check fix markers
        run: python scripts/check_fix_markers.py

      - name: Emit machine-readable result (for the run summary)
        if: always()
        run: |
          python scripts/check_fix_markers.py --json > fix-markers-result.json || true
          {
            echo '### Fix-marker regression guard'
            echo ''
            echo '```'
            python scripts/check_fix_markers.py || true
            echo '```'
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Upload result artifact
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: fix-markers-result
          path: fix-markers-result.json
          retention-days: 30