on:
  workflow_call:
  # Permissions inherited from caller workflow

permissions: {}

jobs:
  lint-test:
    name: Lint Test
    runs-on: ubuntu-latest

    steps:
      - name: Checkout TUF
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Set up Python (oldest supported version)
        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
        with:
          python-version: 3.8
          cache: 'pip'
          cache-dependency-path: |
            requirements/*.txt
            pyproject.toml

      - name: Install dependencies
        run: |
          python3 -m pip install --constraint requirements/build.txt tox coveralls

      - name: Run tox
        env:
          RUFF_OUTPUT_FORMAT: github
        run: tox -e lint

  tests:
    name: Tests
    needs: lint-test
    strategy:
      matrix:
        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"]
        os: [ubuntu-latest]
        include:
          - python-version: "3.12"
            os: macos-latest
          - python-version: "3.12"
            os: windows-latest

    runs-on: ${{ matrix.os }}

    steps:
      - name: Checkout TUF
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'pip'
          cache-dependency-path: |
            requirements/*.txt
            pyproject.toml

      - name: Install dependencies
        run: |
          python3 -m pip install --constraint requirements/build.txt tox coveralls

      - name: Run tox
        run: tox -e py

      - name: Publish on coveralls.io
        # A failure to publish coverage results on coveralls should not
        # be a reason for a job failure.
        continue-on-error: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COVERALLS_FLAG_NAME: ${{ runner.os }} / Python ${{ matrix.python-version }}
          COVERALLS_PARALLEL: true
        # Use cp workaround to publish coverage reports with relative paths
        # FIXME: Consider refactoring the tests to not require the test
        # aggregation script being invoked from the `tests` directory, so
        # that `.coverage` is written to and .coveragrc can also reside in
        # the project root directory as is the convention.
        run: |
          cp tests/.coverage .
          coveralls --service=github --rcfile=tests/.coveragerc

  coveralls-fin:
    # Always run when all 'tests' jobs have finished even if they failed
    # TODO: Replace always() with a 'at least one job succeeded' expression
    if: always()
    needs: tests
    runs-on: ubuntu-latest
    steps:
      - name: Add requirements file to make setup-python happy
        run: touch requirements.txt

      - name: Set up Python
        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
        with:
          python-version: '3.x'
          cache: 'pip'

      - name: Install dependencies
        run: |
          python3 -m pip install coveralls

      - name: Finalize publishing on coveralls.io
        continue-on-error: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: coveralls --finish