name: Tests

on:
  push:
    branches: ["**"]
  pull_request:
    branches: ["**"]

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install linters
        run: pip install black==23.12.1 isort==5.13.2 bandit==1.7.5

      - name: Check formatting (black)
        run: black --check --line-length 100 src/ tests/

      - name: Check import order (isort)
        run: isort --check --profile black --line-length 100 src/ tests/

      - name: Security scan (bandit)
        run: bandit -r src/ -ll -s B101,B104,B307,B310,B324,B601,B608 -q

  test:
    runs-on: ubuntu-latest
    needs: lint

    # Required for publish-unit-test-result-action to post check runs and PR comments
    permissions:
      contents: read
      checks: write
      pull-requests: write

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Cache Poetry virtualenv
        uses: actions/cache@v4
        with:
          path: |
            ~/.cache/pypoetry
            ~/.cache/pip
          key: poetry-${{ hashFiles('poetry.lock') }}
          restore-keys: poetry-

      - name: Install dependencies
        run: |
          pip install poetry
          poetry install --with dev

      - name: Run tests
        run: |
          mkdir -p reports
          poetry run pytest \
            --cov=src \
            --cov-report=term-missing \
            --cov-report=xml:reports/coverage.xml \
            --cov-fail-under=73 \
            --junitxml=reports/junit.xml \
            -p no:xdist \
            -m "not ollama and not docker and not selenium and not external_api"

      # Posts a check annotation + PR comment showing pass/fail counts.
      # Visible in the GitHub mobile app under Checks and in PR conversations.
      - name: Publish test results
        uses: EnricoMi/publish-unit-test-result-action@v2
        if: always()
        with:
          files: reports/junit.xml
          check_name: "pytest results"
          comment_title: "Test Results"
          report_individual_runs: true

      # Coverage report available as a downloadable artifact in the Actions tab
      - name: Upload coverage report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: coverage-report
          path: reports/coverage.xml
          retention-days: 14

  docker-build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: DOCKER_BUILDKIT=1 docker build -t timmy-time:ci .