name: CI

on:
  push:
    branches: ["**"]
  pull_request:
  workflow_dispatch:

# Cancel superseded runs on the same ref.
concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

env:
  PYTHON_VERSION: "3.12"

jobs:
  lint:
    name: ruff
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install uv
        uses: astral-sh/setup-uv@v3
        with:
          enable-cache: true
      - name: Set up Python
        run: uv python install ${{ env.PYTHON_VERSION }}
      - name: Install dependencies
        run: uv sync --extra dev
      - name: ruff check
        run: uv run ruff check .

  typecheck:
    name: mypy --strict
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install uv
        uses: astral-sh/setup-uv@v3
        with:
          enable-cache: true
      - name: Set up Python
        run: uv python install ${{ env.PYTHON_VERSION }}
      - name: Install dependencies
        run: uv sync --extra dev
      - name: mypy
        run: uv run mypy --strict src

  test:
    name: pytest
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install uv
        uses: astral-sh/setup-uv@v3
        with:
          enable-cache: true
      - name: Set up Python
        run: uv python install ${{ env.PYTHON_VERSION }}
      - name: Install dependencies
        run: uv sync --extra dev
      # Phase 1: an empty/placeholder suite must pass. pytest exits 5 when it
      # collects no tests; we treat that as success this phase. Coverage is
      # reported but not gated yet (no --cov-fail-under until later phases).
      - name: pytest
        shell: bash
        run: |
          set +e
          uv run pytest --cov=neuronetz_gateway --cov-report=term-missing
          code=$?
          if [ "$code" -eq 5 ]; then
            echo "::notice::No tests collected (Phase 1) — treating as success."
            exit 0
          fi
          exit "$code"

  bandit:
    name: bandit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install uv
        uses: astral-sh/setup-uv@v3
        with:
          enable-cache: true
      - name: Set up Python
        run: uv python install ${{ env.PYTHON_VERSION }}
      - name: Install dependencies
        run: uv sync --extra dev
      - name: bandit
        run: uv run bandit -q -r src

  pip-audit:
    name: pip-audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install uv
        uses: astral-sh/setup-uv@v3
        with:
          enable-cache: true
      - name: Set up Python
        run: uv python install ${{ env.PYTHON_VERSION }}
      - name: Install dependencies
        run: uv sync --extra dev
      - name: pip-audit
        run: uv run pip-audit