name: quality-gates

on:
  pull_request:
  push:
    branches: [main]

jobs:
  lint-and-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install project dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e .[dev]
      - name: Ruff lint
        run: python -m ruff check backend tests
      - name: Pytest coverage and contracts
        run: python -m pytest

  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install scanner
        run: |
          python -m pip install --upgrade pip
          pip install pip-audit
      - name: Dependency vulnerability scan
        run: pip-audit