name: CI

on:
  push:
    branches: [main, dev]
  pull_request:
    branches: [main, dev]

jobs:
  check:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v7
        with:
          version: "0.5.6"
          enable-cache: true
          cache-dependency-glob: "uv.lock"

      - name: Set up Python 3.11
        run: uv python install 3.11

      - name: Install dependencies
        run: uv sync --all-extras --locked

      - name: Lint with ruff
        run: uv run ruff check src tests

      - name: Format check with ruff
        run: uv run ruff format --check src tests

      - name: Type check with mypy
        run: uv run mypy src

      - name: Security scan with bandit
        run: uv run bandit -r src -ll -q

      - name: Dependency vulnerability audit
        run: uv run pip-audit

      - name: Run tests with coverage
        run: uv run pytest tests/unit/ -v --cov=src --cov-report=xml --cov-report=term-missing

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v5
        with:
          files: ./coverage.xml
          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: false

      - name: Upload test artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: test-results
          path: coverage.xml