name: Reusable Python Checks

on:
  workflow_call:
    inputs:
      python_version:
        type: string
        default: "3.14"
      source_path:
        type: string
        default: "app"
      tests_path:
        type: string
        default: "tests"
      test_command:
        type: string
        default: "coverage run -m pytest"
      coverage_fail_under:
        type: string
        default: "80"
      run_security_scan:
        type: boolean
        default: true

jobs:
  check:
    runs-on: docker
    container:
      image: gitea.tech-buddy.at/bitbuddydev/gitea_runner_python314:dev-bda315b82bb23d83065b77d91fedf0e20d9accf1
      credentials:
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Tools & Deps
        run: |
          python -m pip install --upgrade pip setuptools wheel
          pip install -e ".[dev]" || pip install -e ".[test]" || pip install -e .
          pip install ruff coverage pip-audit bandit

      - name: Linting
        run: ruff check ${{ inputs.source_path }} ${{ inputs.tests_path }}

      - name: Tests
        run: |
          ${{ inputs.test_command }}
          coverage report --fail-under=${{ inputs.coverage_fail_under }}
          coverage xml
          coverage html

      - name: Security Scan
        if: ${{ inputs.run_security_scan }}
        run: |
          pip freeze | grep -v "git+" > req.txt
          pip-audit -r req.txt
          bandit -r ${{ inputs.source_path }}

      - name: Upload Coverage HTML
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: coverage-html
          path: htmlcov/
          if-no-files-found: warn

      - name: Upload Coverage XML
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: coverage-xml
          path: coverage.xml
          if-no-files-found: warn