name: Reusable Python Security Checks

on:
  workflow_call:
    inputs:
      python_version:
        type: string
        default: "3.14"
      install_command:
        type: string
        default: 'python -m pip install "bandit[toml]"'
      security_command:
        type: string
        default: "python -m bandit -r app -c pyproject.toml"
      working_directory:
        type: string
        default: "."

jobs:
  security:
    runs-on: docker
    container:
      image: python:${{ inputs.python_version }}-slim

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install security tools
        working-directory: ${{ inputs.working_directory }}
        run: ${{ inputs.install_command }}

      - name: Run security scan
        working-directory: ${{ inputs.working_directory }}
        run: ${{ inputs.security_command }}