name: Check python dependencies

on:
  push:
    branches:
      - "master"
      - "[0-9].[0-9]*"
  pull_request:
    types: [synchronize, opened, reopened, ready_for_review]

permissions:
  contents: read
  pull-requests: read

# cancel previous workflow jobs for PRs
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

jobs:
  check-python-deps:
    runs-on: ubuntu-22.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
          submodules: recursive
          fetch-depth: 1

      - name: Check for file changes
        id: check
        uses: ./.github/actions/change-detector/
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Python
        if: steps.check.outputs.python
        uses: ./.github/actions/setup-backend/

      # Authenticate the Docker daemon so the python:slim pull in
      # uv-pip-compile.sh uses our (much higher) authenticated rate limit
      # instead of the shared-runner anonymous one. Best-effort: on fork PRs the
      # secrets are unavailable, so this no-ops and the pull falls back to
      # anonymous (covered by the retry loop in the script).
      - name: Login to Docker Hub
        if: steps.check.outputs.python
        continue-on-error: true
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Run uv
        if: steps.check.outputs.python
        run: ./scripts/uv-pip-compile.sh

      - name: Check for uncommitted changes
        if: steps.check.outputs.python
        run: |
          echo "Full diff (for logging/debugging):"
          git diff

          echo "Filtered diff (excluding comments and whitespace):"
          filtered_diff=$(git diff -U0 | grep '^[-+]' | grep -vE '^[-+]{3}' | grep -vE '^[-+][[:space:]]*#' | grep -vE '^[-+][[:space:]]*$' || true)
          echo "$filtered_diff"

          if [[ -n "$filtered_diff" ]]; then
            echo
            echo "ERROR: The pinned dependencies are not up-to-date."
            echo "Please run './scripts/uv-pip-compile.sh' and commit the changes."
            echo "More info: https://github.com/apache/superset/tree/master/requirements"
            exit 1
          else
            echo "Pinned dependencies are up-to-date."
          fi