name: CI

on:
  push:
    branches: ["main", "master"]
    tags: ["v*"]
  pull_request:

jobs:
  lint-test-build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install project + dev deps
        run: |
          python -m pip install --upgrade pip
          pip install -e .[dev]
          pip install pip-audit

      - name: Ruff
        run: ruff check .

      # - name: Black
      #   run: black --check .

      - name: MyPy
        run: mypy src

      - name: Dependency audit
        run: pip-audit -r requirements/latest-runtime.in

      - name: Secret scan (worktree + git history)
        run: python scripts/security_scan.py

      - name: Tests
        run: pytest -q

      - name: Latency guardrails
        run: |
          python scripts/check_latency_regression.py \
            --baseline ops/performance/latency_baseline.json \
            --thresholds ops/performance/latency_thresholds.json \
            --iterations 600

      - name: Login to Gitea registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: git.allucanget.biz
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_TOKEN }}

      - name: Build and push image
        if: github.event_name != 'pull_request'
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: git.allucanget.biz/allucanget/arbitrade:latest