name: Check Codestyle Python

on:
  workflow_call:
    inputs:
      build-tools-image:
        description: 'build-tools image'
        required: true
        type: string

defaults:
  run:
    shell: bash -euxo pipefail {0}

permissions:
  contents: read

jobs:
  check-codestyle-python:
    runs-on: [ self-hosted, small ]

    permissions:
      packages: read

    container:
      image: ${{ inputs.build-tools-image }}
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --init

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
        with:
          path: ~/.cache/pypoetry/virtualenvs
          key: v2-${{ runner.os }}-${{ runner.arch }}-python-deps-bookworm-${{ hashFiles('poetry.lock') }}

      - run: ./scripts/pysync

      - run: poetry run ruff check .
      - run: poetry run ruff format --check .
      - run: poetry run mypy .