name: Lint

on:
  push:
    branches: [main, dev]
  pull_request:
    branches: [main, dev]

# Cancel old runs when a new push lands on the same branch/PR. See ci.yml.
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
        with:
          python-version: "3.12"
      - name: Install ruff
        # Hash-pinned via ci/ruff-pin.txt. Closes the OpenSSF Scorecard
        # / CodeQL PinnedDependenciesID alert. See ci/README.md.
        run: pip install -r ci/ruff-pin.txt --require-hashes
      - name: ruff check (lint)
        run: ruff check src tests examples
      - name: ruff format (check only — no rewrites)
        run: ruff format --check src tests examples