name: Lint and mock tests

# Runs on every push and pull request — including PRs from forks. This workflow
# is intentionally limited to lint + the mock provider so it can run safely on
# untrusted code (no secrets, no cloud credentials).
#
# Cloud-provider integration tests live in integration-cloud.yaml, which uses
# pull_request_target plus a maintainer-applied `safe-to-test` label and a
# protected GitHub Environment.

on:
  push:
    branches:
    - main
  pull_request:
    branches:
      - main
  workflow_dispatch: {}

permissions:
  contents: read

jobs:
  lint:
    name: Lint code
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: [ '3.13' ]
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          persist-credentials: false

      - name: Setup Python
        uses: actions/setup-python@v6
        with:
           python-version: ${{ matrix.python-version }}

      - name: Cache pip dir
        uses: actions/cache@v5
        with:
          path: ~/.cache/pip
          key: pip-cache-${{ matrix.python-version }}-lint

      - name: Install required packages
        run: pip install tox

      - name: Run tox
        run: tox -e lint

  mock:
    name: Mock-provider tests
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ['3.13']
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          persist-credentials: false

      - name: Setup Python
        uses: actions/setup-python@v6
        with:
           python-version: ${{ matrix.python-version }}

      - name: Cache pip dir
        uses: actions/cache@v5
        with:
          path: ~/.cache/pip
          key: pip-cache-${{ matrix.python-version }}-${{ hashFiles('**/setup.py', '**/requirements.txt') }}

      - name: Install required packages
        run: pip install tox

      - name: Run tox
        run: tox -e py${{ matrix.python-version }}-mock
        env:
          PYTHONUNBUFFERED: "True"