on:
  workflow_call:
  # Permissions inherited from caller workflow

permissions: {}

jobs:
  lint-test:
    name: Lint Test
    runs-on: ubuntu-latest

    steps:
      - name: Checkout TUF
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Set up Python (oldest supported version)
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.10"
          cache: 'pip'
          cache-dependency-path: |
            requirements/*.txt
            pyproject.toml

      - name: Install dependencies
        run: |
          python3 -m pip install --constraint requirements/build.txt tox coveralls

      - name: Run tox
        env:
          RUFF_OUTPUT_FORMAT: github
        run: tox -e lint

  tests:
    name: Tests
    needs: lint-test
    strategy:
      matrix:
        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
        os: [ubuntu-latest]
        include:
          - python-version: "3.x"
            os: macos-latest
          - python-version: "3.x"
            os: windows-latest

    runs-on: ${{ matrix.os }}

    steps:
      - name: Checkout TUF
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'pip'
          cache-dependency-path: |
            requirements/*.txt
            pyproject.toml

      - name: Install dependencies
        run: |
          python3 -m pip install --constraint requirements/build.txt tox coveralls

      - name: Run tox
        run: tox -e py

      - name: Publish on coveralls.io
        # A failure to publish coverage results on coveralls should not
        # be a reason for a job failure.
        continue-on-error: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COVERALLS_FLAG_NAME: ${{ runner.os }} / Python ${{ matrix.python-version }}
          COVERALLS_PARALLEL: true
        run: |
          coveralls --service=github

  all-tests-pass:
    name: All tests passed
    needs: [lint-test, tests]
    runs-on: ubuntu-latest
    steps:
      - run: echo "All test jobs have completed successfully."

  coveralls-fin:
    # Always run when all 'tests' jobs have finished even if they failed
    # TODO: Replace always() with a 'at least one job succeeded' expression
    if: always()
    needs: tests
    runs-on: ubuntu-latest
    steps:
      - name: Add requirements file to make setup-python happy
        run: touch requirements.txt

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: '3.x'
          cache: 'pip'

      - name: Install dependencies
        run: |
          python3 -m pip install coveralls

      - name: Finalize publishing on coveralls.io
        continue-on-error: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: coveralls --finish