.PHONY: build publish scan-secrets scan-dist lint test

build:
	uv build

lint:
	uv run ruff check src/ tests/
	uv run ruff format --check src/ tests/

test:
	uv run pytest tests/

# Scan working directory for secrets (skips .gitignore'd files)
scan-secrets:
	gitleaks detect --source . --no-git --redact

# Scan built packages for secrets (unpacks tar.gz and whl)
scan-dist: build
	trufflehog filesystem dist/ --fail --no-update

# Build, scan, and publish — safe pipeline
publish: build scan-dist
	uv publish dist/$$(python3 -c "from gaol import __version__; print(f'gaol-{__version__}*')")
