name: Pre-commit

on:
  workflow_dispatch:
  pull_request:
    branches:
      - main
  merge_group:
    branches:
      - main

permissions:
  contents: read

jobs:
  pre-commit:
    runs-on: ubuntu-latest
    env:
      # Prevents sdist builds → no tar extraction
      PIP_ONLY_BINARY: ":all:"
      PIP_DISABLE_PIP_VERSION_CHECK: "1"
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: 3.12
          cache: "pip" # caching pip dependencies
          cache-dependency-path: ./.github/scripts/requirements_pre_commit.txt

      - name: Run Pre-Commit Hooks
        run: |
          pip install --require-hashes --only-binary=:all: -r ./.github/scripts/requirements_pre_commit.txt

      - name: Run Pre-Commit
        run: |
          pre-commit run ruff --all-files -c .pre-commit-config.yaml
          pre-commit run ruff-format --all-files -c .pre-commit-config.yaml
          pre-commit run codespell --all-files -c .pre-commit-config.yaml
          pre-commit run gitleaks --all-files -c .pre-commit-config.yaml
          pre-commit run end-of-file-fixer --all-files -c .pre-commit-config.yaml
          pre-commit run trailing-whitespace --all-files -c .pre-commit-config.yaml
          git diff --exit-code