kwork-api/.gitea/workflows/pr-check.yml

name: PR Checks

on:
  pull_request:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Use system Python
        run: |
          echo "Python $(python3 --version)"
          echo "$HOME/.local/bin" >> $GITHUB_PATH          
      
      - name: Install dependencies (with dev)
        run: uv sync --group dev
      
      - name: Run tests with coverage
        run: uv run pytest tests/unit/ -v --tb=short --cov=src/kwork_api --cov-report=term-missing
      
      - name: Run linting
        run: uv run ruff check src/kwork_api tests/
      
      - name: Run formatter check
        run: uv run ruff format --check src/kwork_api tests/

  security:
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      
      - name: Use system Python
        run: |
          echo "$HOME/.local/bin" >> $GITHUB_PATH          
      
      - name: Install dependencies
        run: uv sync --group dev
      
      - name: Run safety check
        run: uv run pip-audit || true
      
      - name: Check for secrets
        run: |
          ! grep -r "password\s*=" --include="*.py" src/ || true
          ! grep -r "token\s*=" --include="*.py" src/ || true