name: test / unit / python-sdk

on:
  push:
    branches: [main]
    paths:
      - "sdk-python/**"
      - ".github/workflows/test_unit-python-sdk.yml"
  pull_request:
    branches: [main]
    paths:
      - "sdk-python/**"
      - ".github/workflows/test_unit-python-sdk.yml"

# Least-privilege by default. Individual jobs/steps can widen when needed.
permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  test:
    runs-on: depot-ubuntu-24.04-4
    timeout-minutes: 10
    permissions:
      contents: read
      # id-token: write is required for Depot OIDC auth (runs-on: depot-ubuntu-*).
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          persist-credentials: false

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ matrix.python-version }}

      - name: Install Poetry
        uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
        with:
          version: latest
          virtualenvs-create: true
          virtualenvs-in-project: true

      - name: Install dependencies
        working-directory: sdk-python
        run: poetry lock && poetry install --with dev

      - name: Run tests
        working-directory: sdk-python
        run: poetry run python -m pytest tests/ -v