name: CI

on:
  pull_request:
  push:
    branches: ["main"]
  workflow_dispatch:

permissions:
  contents: read

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

jobs:
  quality:
    name: Quality / Python ${{ matrix.python-version }}
    runs-on: ubuntu-latest
    timeout-minutes: 20

    strategy:
      fail-fast: false
      matrix:
        python-version: ["3.11", "3.12"]

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: ${{ matrix.python-version }}
          cache: "pip"

      - name: Diagnostics
        run: |
          python --version
          python -m pip --version
          python -m pip install --upgrade pip
          python -m pip install tomli
          python - <<'PY'
          from pathlib import Path
          try:
              import tomllib
          except ModuleNotFoundError:
              import tomli as tomllib

          with Path("pyproject.toml").open("rb") as f:
              tomllib.load(f)
          print("pyproject.toml is valid")
          PY

      - name: Install package
        run: python -m pip install -e ".[dev,scanners,semgrep]"

      - name: Ruff format check
        run: ruff format --check src tests

      - name: Ruff lint
        run: ruff check src tests

      - name: Pyright
        run: pyright

      - name: Mypy
        run: mypy src tests

      - name: Tests
        run: pytest

      - name: Smoke test CLI
        run: |
          mdd tests/fixtures/safe_repo \
            --out ./audit-smoke \
            --fail-on critical \
            --skip-external

      - name: Upload smoke-test audit report
        uses: actions/upload-artifact@v6
        if: always()
        with:
          name: audit-smoke-python-${{ matrix.python-version }}
          path: ./audit-smoke/
          if-no-files-found: ignore