name: LiteLLM Linting

on:
  pull_request:
    branches: [main]

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:
      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          fetch-depth: 0
          clean: true
          persist-credentials: false

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.12"

      - name: Set up uv
        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
        with:
          version: "0.10.9"

      - name: Clean Python cache
        run: |
          find . -type d -name "__pycache__" -exec rm -rf {} + || true
          find . -name "*.pyc" -delete || true

      - name: Check uv.lock is up to date
        run: |
          uv lock --check || (echo "❌ uv.lock is out of sync with pyproject.toml. Run 'uv lock' locally and commit the result." && exit 1)

      - name: Install dependencies
        run: |
          uv sync --frozen

      - name: Check Black formatting
        run: |
          cd litellm
          uv run --no-sync black --check --exclude '/enterprise/' .
          cd ..

      - name: Debug - Check file state
        run: |
          echo "Current branch:"
          git branch --show-current
          echo "Last 3 commits:"
          git log --oneline -3
          echo "File content around line 43:"
          head -50 litellm/litellm_core_utils/custom_logger_registry.py | tail -10

      - name: Run Ruff linting
        run: |
          cd litellm
          uv run --no-sync ruff check .
          cd ..

      - name: Print OpenAI version
        run: |
          uv run --no-sync python -c "import openai; print(f'OpenAI version: {openai.__version__}')"

      - name: Run MyPy type checking
        run: |
          cd litellm
          uv run --no-sync mypy .
          cd ..

      - name: Check for circular imports
        run: |
          cd litellm
          uv run --no-sync python ../tests/documentation_tests/test_circular_imports.py
          cd ..

      - name: Check import safety
        run: |
          uv run --no-sync python -c "from litellm import *" || (echo '🚨 import failed, this means you introduced unprotected imports! 🚨'; exit 1)

  secret-scan:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
      contents: read

    steps:
      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Set up Python
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.12"

      - name: Set up uv
        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
        with:
          version: "0.10.9"

      - name: Run secret scan test
        run: |
          uv run --frozen --with 'pytest==9.0.2' pytest tests/litellm/test_no_hardcoded_secrets.py -v

      - name: Run ggshield secret scan
        env:
          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
        run: |
          if [ -n "$GITGUARDIAN_API_KEY" ]; then
            uv tool run --from 'ggshield==1.48.0' ggshield secret scan repo .
          else
            echo "GITGUARDIAN_API_KEY not set, skipping ggshield scan"
          fi