name: _Unit Test Services Base (Reusable)

on:
  workflow_call:
    inputs:
      test-path:
        description: "Pytest path(s) to run"
        required: true
        type: string
      workers:
        description: "Number of pytest-xdist workers (0 = no parallelism)"
        required: false
        type: number
        default: 2
      reruns:
        description: "Number of reruns for flaky tests"
        required: false
        type: number
        default: 2
      timeout-minutes:
        description: "Job timeout in minutes"
        required: false
        type: number
        default: 20
      max-failures:
        description: "Stop after this many failures"
        required: false
        type: number
        default: 10
      enable-postgres:
        description: "Start a local Postgres service container and run Prisma migrations"
        required: false
        type: boolean
        default: false
      artifact-name:
        description: "Unique name for the coverage artifact (must be unique per run)"
        required: false
        type: string
        default: "run"
    secrets:
      DATABASE_URL:
        required: false
      POSTGRES_USER:
        required: false
      POSTGRES_PASSWORD:
        required: false

permissions:
  contents: read

jobs:
  run:
    name: Run tests
    runs-on: ubuntu-latest
    timeout-minutes: ${{ inputs.timeout-minutes }}
    # Environment is derived from the enable-* flags, not caller-controllable.
    # This prevents callers from passing arbitrary environment names to bypass secret scoping.
    environment: >-
      ${{
        inputs.enable-postgres && 'integration-postgres' ||
        ''
      }}

    services:
      postgres:
        image: postgres@sha256:705a5d5b5836f3fcba0d02c4d281e6a7dd9ed2dd4078640f08a1e1e9896e097d # postgres:14
        env:
          POSTGRES_USER: ${{ secrets.POSTGRES_USER }}
          POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
          POSTGRES_DB: litellm_test
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5

    steps:
      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          persist-credentials: false

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.12"

      - name: Set up uv
        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
        with:
          version: "0.10.9"

      - name: Cache uv dependencies
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: |
            ~/.cache/uv
            .venv
          key: ${{ runner.os }}-uv-services-${{ hashFiles('uv.lock') }}
          restore-keys: |
            ${{ runner.os }}-uv-services-

      - name: Install dependencies
        run: |
          uv sync --frozen --group ci --group proxy-dev --extra google --extra proxy --extra semantic-router

      - name: Generate Prisma client
        env:
          PRISMA_BINARY_CACHE_DIR: ${{ runner.temp }}/prisma-cache
        run: |
          uv run --no-sync prisma generate --schema litellm/proxy/schema.prisma

      - name: Run Prisma migrations
        if: ${{ inputs.enable-postgres }}
        env:
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
        run: |
          uv run --no-sync prisma db push --schema litellm/proxy/schema.prisma --accept-data-loss

      - name: Run tests
        env:
          TEST_PATH: ${{ inputs.test-path }}
          MAX_FAILURES: ${{ inputs.max-failures }}
          WORKERS: ${{ inputs.workers }}
          RERUNS: ${{ inputs.reruns }}
          DATABASE_URL: ${{ inputs.enable-postgres && secrets.DATABASE_URL || '' }}
        run: |
          if [ "${WORKERS}" = "0" ]; then
            uv run --no-sync pytest ${TEST_PATH:?} \
              --tb=short -vv \
              --maxfail="${MAX_FAILURES}" \
              --reruns "${RERUNS}" \
              --reruns-delay 1 \
              --durations=20 \
              --cov=litellm \
              --cov-report=xml:coverage.xml \
              --cov-config=pyproject.toml
          else
            uv run --no-sync pytest ${TEST_PATH:?} \
              --tb=short -vv \
              --maxfail="${MAX_FAILURES}" \
              -n "${WORKERS}" \
              --reruns "${RERUNS}" \
              --reruns-delay 1 \
              --dist=loadscope \
              --durations=20 \
              --cov=litellm \
              --cov-report=xml:coverage.xml \
              --cov-config=pyproject.toml
          fi

      - name: Save coverage report
        if: always()
        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
        with:
          name: coverage-${{ inputs.artifact-name }}-${{ github.run_id }}-${{ github.run_attempt }}
          path: coverage.xml
          retention-days: 1

  upload-coverage:
    name: Upload coverage to Codecov
    needs: run
    if: always()
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      pull-requests: write

    steps:
      - name: Checkout code
        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          persist-credentials: false

      - name: Download coverage report
        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          pattern: coverage-${{ inputs.artifact-name }}-${{ github.run_id }}-${{ github.run_attempt }}
          path: coverage-reports
          merge-multiple: true

      - name: Upload to Codecov
        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
        with:
          use_oidc: true
          directory: coverage-reports
          root_dir: ${{ github.workspace }}
          fail_ci_if_error: false