name: Reusable Python Checks

on:
  workflow_call:
    inputs:
      python_version:
        type: string
        default: "3.14"
      test_command:
        type: string
        default: "coverage run -m pytest"

jobs:
  check:
    runs-on: docker
    container:
      image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
      credentials:
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Tools & Deps
        run: |
          python -m pip install --upgrade pip setuptools wheel
          pip install -e .[dev] || pip install -e .[test] || pip install -e .
          pip install ruff coverage pip-audit bandit

      - name: Linting
        run: ruff check app tests

      - name: Tests
        run: |
          ${{ inputs.test_command }}
          coverage report --fail-under=60
          coverage xml
          coverage html

      - name: Security Scan
        run: |
          pip freeze | grep -v "git+" > req.txt
          pip-audit -r req.txt
          bandit -r app/

      - name: Upload Coverage
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: coverage-report
          path: |
            htmlcov/
            coverage.xml

      - name: Notify on Failure
        if: failure()
        run: |
          # (Deine ntfy-Logik hier einfügen)