name: Check Codestyle Python

on:
  workflow_call:
    inputs:
      build-tools-image:
        description: 'build-tools image'
        required: true
        type: string

defaults:
  run:
    shell: bash -euxo pipefail {0}

permissions:
  contents: read

jobs:
  check-codestyle-python:
    runs-on: [ self-hosted, small ]

    permissions:
      packages: read

    container:
      image: ${{ inputs.build-tools-image }}
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --init

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Cache poetry deps
        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
        with:
          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
          use-fallback: false
          path: ~/.cache/pypoetry/virtualenvs
          key: v2-${{ runner.os }}-${{ runner.arch }}-python-deps-bookworm-${{ hashFiles('poetry.lock') }}

      - run: ./scripts/pysync

      - run: poetry run ruff check .
      - run: poetry run ruff format --check .
      - run: poetry run mypy .