name: Forge Runner Smoke

on:
  workflow_dispatch:
  push:
    paths:
      - ".gitea/workflows/forge-runner-smoke.yaml"
      - "docs/gitea-actions-runner-substrate.md"
      - "docs/gitea-actions-runner-evidence.md"
      - "runner/**"
      - "tools/gitea-runner-status.sh"

jobs:
  compatibility-smoke:
    runs-on: [self-hosted, haskelseed]
    steps:
      - name: Report non-secret runner context
        run: |
          set -eu
          echo "repository=${GITHUB_REPOSITORY:-unknown}"
          echo "sha=${GITHUB_SHA:-unknown}"
          echo "runner=${RUNNER_NAME:-unknown}"
          uname -a

      - name: Check container tooling if present
        run: |
          set -eu
          if command -v docker >/dev/null 2>&1; then
            docker version --format 'docker-server={{.Server.Version}}'
          else
            echo "docker not present on smoke runner"
          fi

      - name: Verify no baseline deployment or publish secrets
        run: |
          set -eu
          test -z "${KUBECONFIG:-}" || { echo "KUBECONFIG unexpectedly set"; exit 1; }
          test -z "${REGISTRY_PASSWORD:-}" || { echo "REGISTRY_PASSWORD unexpectedly set"; exit 1; }
          test -z "${GITEA_RUNNER_REGISTRATION_TOKEN:-}" || { echo "runner registration token exposed"; exit 1; }