name: audit

on:
  push:
    branches:
      - main
  pull_request:

jobs:
  bandit:
    name: bandit
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install uv
        run: curl -LsSf https://astral.sh/uv/install.sh | sh

      - name: Cache uv dependencies
        uses: actions/cache@v4
        with:
          path: |
            ~/.cache/uv
            .venv
          key: ${{ runner.os }}-uv-${{ hashFiles('**/uv.lock') }}
          restore-keys: |
            ${{ runner.os }}-uv-

      - name: Sync dependencies (with dev tools)
        run: uv sync --dev

      - name: Run Bandit (security linter)
        run: uv run bandit -r . -c pyproject.toml || true