name: Security Checker

on: [pull_request]

jobs:
  security-check:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v6
        with:
          enable-cache: true
          cache-dependency-glob: |
            **/pyproject.toml
            **/uv.lock

      - name: Set up Python
        run: uv python install 3.11

      - name: Install dependencies
        run: uv sync --dev --no-install-project

      - name: Run Bandit
        run: uv run bandit -c pyproject.toml -r src/ -ll