name: PR Checks

on:
  pull_request:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Use system Python
        run: |
          echo "Python $(python3 --version)"
          echo "UV=$(uv --version)"
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      
      - name: Install dependencies
        run: uv sync --group dev
      
      - name: Run tests with coverage
        run: uv run pytest tests/unit/ -v --tb=short --cov=src/kwork_api --cov-report=term-missing
      
      - name: Run linting
        run: uv run ruff check src/kwork_api tests/
      
      - name: Run formatter check
        run: uv run ruff format --check src/kwork_api tests/

  security:
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      
      - name: Install UV
        run: |
          curl -LsSf https://astral.sh/uv/install.sh | sh
          echo "$HOME/.local/bin" >> $GITHUB_PATH
      
      - name: Install dependencies
        run: uv sync --group dev
      
      - name: Run safety check
        run: uv run pip-audit || true
      
      - name: Check for secrets
        run: |
          ! grep -r "password\s*=" --include="*.py" src/ || true
          ! grep -r "token\s*=" --include="*.py" src/ || true

  commitlint:
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      
      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: "20"
      
      - name: Install commitlint
        run: npm install -g @commitlint/cli @commitlint/config-conventional
      
      - name: Validate PR title
        run: |
          echo "${{ github.event.pull_request.title }}" | commitlint --help-only || true