---
name: PR

on:
  pull_request:

jobs:
  test:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0

      - name: Install dependencies
        run: uv sync

      - name: Run tests
        run: uv run -m pytest --cov

      - name: Lint
        run: uvx ruff check .

      - name: Type check
        run: uvx mypy .

  audit:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0

      - name: Install
        run: |
          uv sync
          uv pip install -e .

      - name: Audit workflows
        run: uv run ghaw-auditor scan --repo . --output audit-results
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload results
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: audit-results
          path: audit-results/