name: tests

on:
  push:
    branches-ignore:
    - 'wip-*'
    paths-ignore:
    - 'docs/**'
    - 'README.md'
  pull_request:
    branches-ignore:
    - 'wip-*'
    paths-ignore:
    - 'docs/**'

env:
  FORCE_COLOR: '1'

jobs:
  build:

    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      max-parallel: 3
      matrix:
        python:
        - version: "3.10"
        - version: "3.11"
        - version: "3.12"
        - version: "3.13"
        - version: "3.14"
        - version: "pypy@3.11"

    steps:
    - uses: actions/checkout@v6
      with:
        fetch-depth: 0

    - name: Install uv
      uses: astral-sh/setup-uv@v7
      with:
        enable-cache: true
        cache-dependency-glob: |
          **/uv.lock

    - name: Set up Python ${{ matrix.python.version }}
      run: |
        uv python install ${{ matrix.python.version }}
        uv python pin ${{ matrix.python.version }}

    - name: Install dependencies
      run: |
        uv sync

    - name: Test with tox
      env:
        TOXENV: py,jose,clients,flask,django
      run: |
        uvx --with tox-uv tox -p auto

    - name: Report coverage
      run: |
        uv run coverage combine
        uv run coverage report
        uv run coverage xml

    - name: Check diff coverage for modified files
      if: github.event_name == 'pull_request'
      run: |
        uv run diff-cover coverage.xml --compare-branch=origin/${{ github.base_ref }} --fail-under=100 --format github-annotations:warning

    - name: Upload coverage to Codecov
      uses: codecov/codecov-action@v5
      with:
        token: ${{ secrets.CODECOV_TOKEN }}
        files: ./coverage.xml
        flags: unittests
        name: GitHub

    - name: SonarCloud Scan
      uses: SonarSource/sonarqube-scan-action@v6
      continue-on-error: true
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

    - name: Minimize cache
      run: |
        uv cache prune --ci