name: Continuous Integration

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  lint-and-security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: '3.12'
      
      - name: Install Linting Tools
        run: |
          python -m pip install --upgrade pip
          pip install ruff bandit
      
      - name: Lint with Ruff
        run: ruff check .
      
      - name: Security Scan with Bandit
        # We ignore B101 (assert) as it's common in tests, and B303 (MD5) 
        # because OpenTTD protocol REQUIRES MD5 for company passwords.
        run: bandit -r lib/ -ll -i -s B101,B303

  tests-and-coverage:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: '3.12'
          
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install openttd-protocol pymonocypher pytest pytest-asyncio pytest-cov
          
      - name: Run Tests with Strict Coverage
        env:
          PYTHONPATH: lib
          CI: true
        # We run tests and fail if coverage is below 100%.
        # E2E test is skipped in CI because no local OpenTTD server is available.
        run: |
          pytest --cov=openttd --cov-report=term-missing --cov-fail-under=100 -k "not test_server_connection_and_join" tests/